HIPAA sets the standards for the protection of PHI (Private Health Information) and ePHI belonging to those people who receive medical care from your business. So, if you are:
- A covered healthcare provider like a hospital or individual medial practitioner
- A business associate of these providers (including the private sector or 3rd party administrator)
- A healthcare clearing house
Additionally to this, if you transmit the information of those in your care digitally, or transmit digital information about those in your care, then you are required to become HIPAA compliant.
Any company dealing with protected health information is required by HIPAA to make sure that security measures are in place for every record kept, from physical copies, to network and digital copies. HIPAA also extends to the processing of information, requiring measures to be taken to ensure that even during administration, the privacy of information is maintained.
The penalties for violating HIPAA are severe, ranging from $100 to $50,000 per violation, up to maximum of $1,500,000 a year with the threat of criminal charges also present. Not something which you and your business want to get mixed up with. But follow this checklist below and you should be well on your way to becoming HIPAA compliant
How to Ensure Compliance
1. Know the Most Common Breaches
When implementing policies like HIPAA, it is often best to begin by investigating where these breaches commonly occur. In the case of HIPAA, common breaches include:
- Unencrypted Data
- Employee Error
- Data being stored on unauthorized and/or unencrypted devices
- Non-compliant business associates
- Slow notification
Keep these breaches in mind when you begin to implement HIPAA and you’ll be a long way to becoming compliant.
2. Limit physical access to private information
You can do this by implementing limits to who is able to see copies of private information and making sure that the information is contained within areas that require authorization. On a business network, this is just a case of assigning the right permissions. It is also required that you have policies about the moving and disposal of PHI and ePHI.
3. Limit digital access to private information
With online data it is slightly more complicated to become HIPAA compliant. You are required to set up authorized access to digital files and also implement policies about work-station access. A strong access control policy includes:
- Unique user ID’s
- Strong passwords and use policies
- Emergency Access Procedures
- Encryption of files
- Automatic Logging off on work stations.
- Integrity controls (to ensure that information is not altered or destroyed)
4. Use a HIPAA compliant hosting service
There are many services which specialize in HIPAA compliance. This could save you a lot of time when implementing compliance into your business. Some of the benefits include:
- High-tech data centers – these come with the added benefit of IT support, should something go wrong
- No need to implement a new IT infrastructure
- Cheaper than building your own data center
- Risk Assessments
5. Risk Assessments
It’s not enough to say that you are HIPAA compliant, you have to prove it. Be sure to document your activities to show that you are not neglecting your compliance to HIPAA. Documentation is key, it not only offers proof that you are following HIPAA guidelines, but also offers you and your staff a reference point if something unusual happens. Furthermore, if you clearly document the location of all of your data then it becomes infinitely easier to locate and access that data when it’s required down the line.
6. Put a Plan in Place
Establishing some kind of system for following up on reports, renewing staff training, reviewing documentation and everything else that is required of an HIPAA compliant business is essential if you wish to avoid headaches in the future. By returning to and reviewing the systems which you put in place, over time you will find not only problems which must be fixed, but also ways in which your system can be improved and made more efficient.
7. Train Your Staff Well
While all HIPAA information is available on the U.S. Department of Health & Human Services website, there are also many qualified companies who will take your staff through HIPAA requirements, ensuring that no essential information falls through the cracks. You’re only as strong as your weakest link, so ensure that all of your staff are absolutely clear on the requirements for PHI protection.
This list is by no means the be-all and end-all of HIPAA compliance, but if you keep referencing back to this checklist on your path to compliance, you should be well on your way to completion. The most important thing to remember however, is that HIPAA is constantly being updated and therefore so must your business, HIPAA compliance is not a one-time process, but one that you should return to regularly and update as necessary, for the good of both your business and your clients.