The Health Insurance Portability and Accountability Act (HIPAA) provides data privacy and security provisions to safeguard patient’s medical records and other personal health information. In a nutshell, it keeps medical records secure and private. Your medical practice is required to comply with HIPAA regulations and although the rules and regulations can seem complex, the bottom line is that your patients’ medical records should be viewed only by authorized healthcare personnel on a “need to know” basis. The process of becoming HIPAA compliant can be stressful and time-consuming; however, you have a legal responsibility to your patients to keep their medical records private and safe. We’ve put together an overview of the HIPAA rule and regulations, including the main points for compliance, to help you determine if you are adequately safeguarding your patients’ sensitive information.
What is HIPAA Compliance?
HIPAA sets the standard for protection of sensitive patient data and any company that deals with protected health information (PHI) must ensure that all of the required security measures are in place. This includes anyone providing treatment, payment, and operations in healthcare (your medical practice) and business associates (labs and billing services, for example) and anyone with access to patient information by providing support in those areas (IT support or document destruction services, for example). All criteria must be met in order to achieve full HIPAA compliance and every member of your medical practice must be trained (and tested) on proper procedures.
HIPAA Privacy Rule, What is it?
Your patients have the right to privacy and can authorize who is allowed to see their medical records as well as who can see or hear sensitive information. The Privacy Rule requires safeguards to protect the privacy of personal health information, namely individually identifiable health information, setting limits and conditions on how it can be used and disclosed without patient permission. Also, patients are given rights to their health information, including the right to examine and obtain a copy of their health records as well as request corrections. Under the rule, you are required to respond to patient access requests within 30 days. You also must issue Notices of Privacy Practices to your patients, to let them know how their data will be used or shared.
You must also:
- Train your employees to make sure they know what information may, and may not, be shared.
- Take appropriate steps to maintain the integrity of your patients’ health information.
- Obtain written permission from patients when their health information is used for research, fundraising or marketing.
Individually identifiable health information includes demographic information and relates to:
- The past, present, or future physical or mental health or condition of the individual
- Provision of health care to the individual
- Past, present, or future payment for the provision of health care
This information either identifies the individual or there is good reason to believe that is can be used for identification purposes. For example, a medical bill would be PHI if it contained the patient’s name and/or any other identifying information.
*Note: HIPAA rules do not apply to your employment records or in records covered by the Family Educational Rights and Privacy Act, which protects the privacy of students’ education records.
How to be compliant with the HIPAA Privacy Rule?
You can ensure your medical facility is compliant with HIPAA’s Privacy Rule by following the HIPAA Security Rule. There are three parts to the HIPAA Security Rule, which establishes a national set of security standards for protecting health information that is held or transferred in electronic form (e-PHI). The rule allows you to use whatever security measures you feel are reasonable and appropriate to protect your patients. The three parts are broken down for you below to guide you in choosing security measures and solutions to make sure your office is compliant.
With technology advancements in the healthcare industry, technical safeguards have become increasingly important for medical practices. You need to protect e-PHI from both internal and external risks.
Access Control - implement policies and procedures to allow only authorized people to access protected health information (e-PHI). You should enable authorized users to access the minimum amount of information necessary to perform their job function.
Audit Controls - record and examine access and activity in information systems that contain or use e-PHI. It is up to you to determine what data should be gathered and how often reports should be reviewed.
Integrity Controls - implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed.. You need to make sure that the integrity of your practice’s data is protected from both human and electronic errors.
Transmission Security - guard against unauthorized access to e-PHI transmitted over an electronic network with appropriate technical security measures. Does your practice transmit e-PHI over the internet, through email, or via a private network? It is your responsibility to make sure that it is protected as it is transmitted.
These are the measures that you take to protect your electronic information systems and your related buildings and equipment (for example, if your systems are at another location). You need to protect your facility from natural and environmental hazards as well as unauthorized intrusion.
Facility Access and Control - limit physical access to facilities while allowing authorized access. Whether your practice is in a single business facility or in a shared office structure determines how this standard is implemented.
Workstation and Device Security - specify proper access and use of workstations and electronic media.Your medical practice should have policies and procedures in place regarding the transfer, removal, disposal, and re-use of electronic media.
These are the policies and procedures that govern the conduct of the workforce and require that you assign a security officer and privacy officer to put required measures in place.
Security Personnel - designate a security official responsible for developing and implementing policies and procedures.This person is the cornerstone of your medical practice’s compliance.
Security Management Process - identify and analyze potential risks to e-PHI and implement security measures to reduce risks. Think of risk assessment as a regular task that you need to do to ensure ongoing compliance.
Information Access Management - implement policies and procedures that authorize access to e-PHI only when appropriate and limit use and disclosure of PHI. You must train your employees on how to be secure.
Workforce Training and Management - train all workforce members regarding security policies and procedures, provide for their authorization and supervision, and apply appropriate sanctions when policies are violated. You must have a training schedule to raise awareness of your policies and procedures and instruct employees on how to identify software attacks and malware.
Evaluation - perform periodic review of how well security policies and procedures meet the requirements of the security rule. For example, do you have accessible backups of e-PHI in case of an emergency? Do you have a procedure to restore lost data? These are the types of questions that should be addressed.
Other HIPAA Rules You Must Follow to Stay Compliant
Notify HIPAA of PHI Breaches As Soon As They Happen
The HIPAA Breach Notification Rule requires HIPAA covered entities to provide notification following a breach of unsecured protected health information. This rule applies to your medical practice’s business associates and third-party service providers.
Ensure Your Office and Any Subcontractors Meet the HIPAA Compliance Checklist
The HIPAA Omnibus Rule expanded the HIPAA compliance checklist to cover business associates and their subcontractors, strengthening the privacy and security protections for health information. Your business associates are held to the same standards for protecting PHI as you are, and there are stipulations for other items such as the disclosure of e-PHI and school immunizations, the sale of e-PHI, and limitations of disclosures to insurers and Medicare. As a result, you need to make sure that old business associate agreements have been updated to take the Omnibus Rule into account, update your privacy policies and notices of privacy practices, and train your staff.
HIPAA ENFORCEMENT RULE
The HIPAA Enforcement Rule provides for compliance and investigations, imposition of penalties for HIPAA violations, and procedures for hearings. HIPAA citations are issued to medical practices for everything from failure to promptly release information to patients to not logging off a computer system that contains private health information. Although not part of a HIPAA compliance checklist, you should be aware of possible penalties. For example, a violation that is attributed to ignorance can result in a fine of $100 to $50,000.
Don’t Forget to Document Your HIPAA Training and Office Practices
HIPAA training is mandatory for anyone who comes in contact with PHI and includes doctors, nurses, and receptionists as well as part-time employees and interns. Specialized training may be required for staff in charge of regulatory compliance or information technology network administration. As with OSHA, all training must be documented to provide proof of compliance.
Generally, your office’s documentation should provide in writing where you are today, how you have progressed over the years, and what your plan is for the future to protect PHI. It’s very important that you keep your documents up-to-date and consistently revise them as necessary. Some examples of what you should be documenting at your practice are:
- Notice of Privacy Practices
- HIPAA risk management plan
- Work desk procedures
- Training logs
- Vendor list and business associate agreements
- Employee list/access to systems
- Breach response plan
- Employee handbook
These are some of the general guidelines for HIPAA compliance—medical office compliance can be easier with proper training to make sure you succeed in your privacy and security responsibilities. Your practice will be less likely to receive any complaints or citations, or fail an audit. More importantly, your patients will trust you to safeguard their health information and will fully disclose the information needed for a complete picture of their overall health. Then, you and your patients can make more-informed decisions that lead to better outcomes.