The Health Insurance Portability and Accountability Act (HIPAA) defines protected health information (PHI) as any data that contains a patient’s name or could be combined with other information to determine the patient’s identity.
The PHI category includes most direct patient records, but also includes other records related to demographic information and general patient data, even when that data has been anonymized.
Why Should PHI Be Protected?
Your medical office is required to maintain the confidentiality of your patient’s PHI, and failing to do so could lead to steep penalties. Avoiding HIPAA violations is a core component of operations for any medical facility, and regulators view the situation accordingly. Government agencies have investigated nearly 200,000 HIPAA complaints over the last decade, and violations can range from large fines to loss of license and ability to practice.
How to Protect PHI
While PHI and HIPAA concerns are vast and complex, meeting their requirements in your medical office is best achieved with an organized, measured approach that includes these five key steps:
1. Designate a Security Administrator
Every primary department in your office should have a designated lead for maintaining knowledge of, and compliance with, HIPAA and PHI requirements. You should also have a Security Administrator to coordinate related operations across your entire facility, with a particular focus on identifying PHI generated by your activities, then protecting the data accordingly.
Along with daily monitoring, your Security Administrator should conduct regular audits of PHI activity and carefully review all technical and partnership aspects of your operations to maintain compliance.
2. Conduct Proper Training
Your training activities should prioritize efforts tied to regulatory requirements and violation risks. For most medical offices, that means instituting full training programs for concerns related to OSHA, HIPAA, and Department of Transportation regulations. In each case, both course material and required attendee categories are strictly defined, so it's important to ensure you maintain compliance throughout your office.
3. Use Business Associate Agreements
HIPAA carefully defines “covered entities” that are required to maintain compliance. It includes all healthcare providers and attendant offices. This also includes any activity performed by outside partnerships or contractors, which are defined by regulations as “business associates.”
To protect your office, you should always use a Business Associate Agreement with any qualifying partner. These agreements clearly define the legal and regulatory parameters of the work being done, along with the associate’s responsibilities and methods for complying with such requirements.
Business Associate Agreements can be tailored to each situation, but should always include key legal language to meet the standards set by regulators.
4. Maintain Secure Document Destruction
Your office is responsible for all PHI it generates or comes into contact with, even once that data has been sent for disposal. If a document or data file is not properly destroyed—leaving the information open to theft or even simple exposure— your office is on the line for violations and penalties.
For that reason, it’s critical to maintain thorough, documented procedures for storing and destroying all records in your office, both paper and digital. If you use an outside partner to handle those activities, the related Business Associate Agreement should clearly define the same scope of requirements and liabilities.
5. Take IT Seriously
In modern healthcare your electronic and digital infrastructure is the most important part of your PHI and general data landscape. Safeguarding that activity and protecting its data should be your top priority. That requires a robust, well-managed technical and Health Information Technology regime.
Because your office operates under such extensive regulatory requirements, it’s not enough to find a general IT provider or administrator. Any employee or outside partner who manages your digital infrastructure needs to be fluent in the requirements of Health IT and its compliance concerns.
With robust procedures, smart decisions, and highly qualified partnerships, you can ensure your medical office meets all of its requirements for protecting PHI under the law.