• Skip to main content
  • Skip to primary sidebar

Nexa Collections

  • Home
  • Serving
    • Medical
    • Dental
    • Small Business
    • Large Business
    • Commercial Collections
    • Government
    • Utilities
    • Fitness Clubs
    • Schools
    • Senior Care Facility
  • Contact Us
    • About us
    • Cost

How to become HIPAA Compliant: Patient data security

HIPAA Complaince
Health care providers, health plans such as insurers and HMOs, healthcare clearing-houses and any business entities using and disclosing “individually identifiable health information” during claims processing, billing, data analysis, and other operations, are governed by the HIPAA Privacy Rule.

HIPAA laws ensure that patient’s data is kept safe from unauthorized access and data leaks. Personal information like – Patient names, SSN, Driver’s license numbers, insurance details, Date of birth, details of treatment received etc.

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which is a federal law protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Office of Civil Rights within the Department of Health and Human Services enforces the HIPAA privacy rules. This rule applies to all medical practitioners across the board including hospitals, dentists, doctors, nurse practitioners and clinical labs.

Need a HIPAA compliant Medical Debt Collection Agency? Contact us

High recovery rates | Serving Nationwide | Cost-effective | Easy to use

HIPAA Rules

The entities covered by HIPAA have the obligation to be compliant across all of their operations and to have the proper technical, physical and administrative safeguards in place.

The Privacy rule aims to protect an individual’s personal health information while allowing a smooth flow of health information between patients and “covered entities” in order to promote high-quality health care. Regardless of how the protected health information (PHI) is transmitted, whether orally, electronically or on paper, the protection extends to the past, the present and the future, from the moment that information is collected or created, through its transmission, maintenance, archival and final destruction. Because years and decades may pass from that first moment until the last, the HIPAA Security rule protects the PHI regardless of what system or technological tool the covered entity uses over time: paper records, server-based storage or cloud-storage.

When cloud storage is used, being HIPAA compliant means that the cloud storage provider, like Google and Amazon, becomes a covered entity. As required by HIPAA, a Business Associate Agreement is formed between the cloud platform and its customers.

The standards for protection are high out of necessity because breaches, inadvertent or malicious, can happen at any time. The Breach Notification Rule protects individually identifiable health information from impermissible use and disclosure. Examples of breaches are: sharing information with unauthorized entities, loss or theft of PHI, unauthorized access, getting hacked, storing and archiving PHI in unsecured physical or electronic locations.

Risk Assessments

HIPAA risk assessments are an essential part of HIPAA compliance, and they should be conducted periodically by a qualified person or team within the organization. As with other things, it’s better to prepare for threats and prevent breaches than do damage control later, when the loss of PHI information may be inevitable and the extent of its dissemination unquantifiable. The risk assessment should identify the following:

  1. What PHI is;
  2. Where and how it is used, stored and shared;
  3. Who has access to it: employees and others in your network (vendors, consultants, etc);
  4. What verification process you have in place to ensure compliance is maintained across the board;
  5. What safeguards you already have in place and evidence they’re being used properly;
  6. What safeguards your company should implement and what training should be involved for everyone with access to PHI;
  7. A scenario for a mock breach to make sure the controls are in place, and to assess the potential extent and damage of such a breach;
  8. A review of concerns and suggestions from your staff to either discover potential threats, lapses in compliance or better ways to protect the information.

How to become HIPAA compliant

The following items offer some suggestions to help you prevent breaches and to stay or become HIPAA compliant.

1) Identify the protected information and ensure the staff knows what constitutes a breach and why it is important.

2) Have a closed system in which PHI is trackable through its entire lifecycle: creation or intake of a patient’s file, maintenance and storage, update and closure, and archival and destruction.

3) Have levels of access to restrict employees from protected data if they don’t use it in their work. Ensure passwords have a high level of complexity and end access to data as soon as an employee leaves your organization, even if it’s for a temporary leave. If possible and resources are available, have a tiered system of exposure, in electronic form and on paper, where the least amount of information is transmitted at any given point, and only doctors and other medical staff have access to full patient information. If a breach happens, then at best, the information exposed should be minimal and worthless for sale or ransom.

4) Avoid unnecessarily duplicating patient data, such as printing their information on paper, if it’s not absolutely necessary. If you need to print it, make sure it is tracked as thoroughly as any other PHI in your organization.

5) Vet your online fax provider, collection agency, billing software, or any kind of software or app you use to process or transmit PHI.

6) Encrypt your data and perform all of the required security updates as notified by your software programs. Install a good firewall and make sure your IT department or provider routinely checks on the stability and security of all of your systems. That being said, make sure that any IT engineers or consultants also understand that they’re also bound to HIPAA privacy rules.

7) Every time a new factor is added, such as a new employee or a transfer of data, a new assessment should be made to ensure that the PHI is not compromised in any way.

8) Conduct periodic checks on your vendors, consultants and other partners to verify that they’re also compliant.

9) Stay up to date with any changes or updates in HIPAA laws. The CDC website has a page dedicated to news on Public Health Law.

10) Healthcare organizations must document all HIPAA compliance activity including privacy and security policies, risk assessments and audits, and staff training sessions. It is recommended to designate a Privacy Compliance Officer within your company.

11) Don’t hesitate to take action immediately after a data breach. Any delay in properly notifying of the breach or in attempts to reduce its impact can attract a serious fine from the Office for Civil Rights. Some electronic breaches have become harder to detect nowadays because hacking is more sophisticated so no secure system is absolutely 100% hack-proof. The important thing is to do everything possible to protect the information and, if a breach does happen, to immediately take steps to notify relevant entities and involved individuals that a breach has occurred.

HIPAA Certification

Because HIPAA compliance is an on-going process increasing in complexity all the time, there is no HIPAA certification requirement at this time. The Department of Health and Human Services (HHS) offers only HIPAA training materials for covered entities, and those materials are usually subject to change to match changes in the law. The CDC offers internships and externships in Public Health Law but only to law students. Third-party HIPAA certifications are available but none of them is endorsed or approved by the HHS even though HIPAA training is required for a covered entity to remain compliant. Taking all of that into consideration, a hybrid process of initial certification and continuing education would probably work best as it would ensure stakeholders have the minimum required HIPAA knowledge through certification and it would also fall in line with the regulatory changes in HIPAA laws to fit a changing society.

Filed Under: Medical

Primary Sidebar


accounts receivable

Need a Collection Agency?
Kindly fill this form.
We’ll get in touch with you

    Please prove you are human by selecting the key.

    Recent Posts

    • Why Cybersecurity Matters for Collection Agencies
    • 11 Ways Dental Practices Can Recover Unpaid Bills (Without the Headache)
    • Credit Bureau Reporting Forbidden on Several Types of Debts
    • Effective Tactics for Regaining Company Assets from Departed Staff
    • Low-Cost, Patient-Friendly Billing for Small Dental Practices
    • Changing Medical Credit Reporting Laws: Urgently Hire a Collection Agency!
    • Disadvantages of Removing Medical Debts from Credit Reports
    • Collection Agency Closure Checklist: Legal, Financial, & Operational Steps

    Featured Posts

    • Restoring Your Phone Number’s Reputation from Spam Mislabeling
    • Risky Things that Restoration Companies Should Never Do
    • 21 Key Strategies for Dental Office Cash Flow Improvement
    Directory of collection agencies

    Note: Nexa is an information portal that helps businesses and medical practices to find a good collection agency at no cost to them. We are not a collection agency. We do not perform any collection activity, nor take payments, nor do any credit reporting. Leads shared with shortlisted agencies with Low Contingency Fee and High Recovery rates.

    Featured Agencies

    • SCA Collections Inc – Debt Collection
    • Commercial Collection Corp (CCC of NY)
    • Collection Agencies in Scottsdale, AZ

    Copyright © 2025 NEXACOLLECT.COM | All information on this website is for general information only and is not an experts advice. We do not own any responsibility for correctness or authenticity of the information, or any loss or injury resulting from it. Nexa is not a collection agency. Relevant inquiries are contacted by our shortlisted collection agency partner(s)

    X
    Need a Collection Agency?
    Contact Us