Health care providers, health plans such as insurers and HMOs, healthcare clearing-houses and any business entities using and disclosing “individually identifiable health information” during claims processing, billing, data analysis, and other operations, are governed by the HIPAA Privacy Rule.
HIPAA laws ensure that patient’s data is kept safe from unauthorized access and data leaks. Personal information like – Patient names, SSN, Driver’s license numbers, insurance details, Date of birth, details of treatment received etc.
HIPAA is the Health Insurance Portability and Accountability Act of 1996, which is a federal law protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Office of Civil Rights within the Department of Health and Human Services enforces the HIPAA privacy rules. This rule applies to all medical practitioners across the board including hospitals, dentists, doctors, nurse practitioners and clinical labs.
Need a HIPAA compliant Medical Debt Collection Agency? Contact us
High recovery rates | Serving Nationwide | Cost-effective | Easy to use
The entities covered by HIPAA have the obligation to be compliant across all of their operations and to have the proper technical, physical and administrative safeguards in place.
The Privacy rule aims to protect an individual’s personal health information while allowing a smooth flow of health information between patients and “covered entities” in order to promote high-quality health care. Regardless of how the protected health information (PHI) is transmitted, whether orally, electronically or on paper, the protection extends to the past, the present and the future, from the moment that information is collected or created, through its transmission, maintenance, archival and final destruction. Because years and decades may pass from that first moment until the last, the HIPAA Security rule protects the PHI regardless of what system or technological tool the covered entity uses over time: paper records, server-based storage or cloud-storage.
When cloud storage is used, being HIPAA compliant means that the cloud storage provider, like Google and Amazon, becomes a covered entity. As required by HIPAA, a Business Associate Agreement is formed between the cloud platform and its customers.
The standards for protection are high out of necessity because breaches, inadvertent or malicious, can happen at any time. The Breach Notification Rule protects individually identifiable health information from impermissible use and disclosure. Examples of breaches are: sharing information with unauthorized entities, loss or theft of PHI, unauthorized access, getting hacked, storing and archiving PHI in unsecured physical or electronic locations.
HIPAA risk assessments are an essential part of HIPAA compliance, and they should be conducted periodically by a qualified person or team within the organization. As with other things, it’s better to prepare for threats and prevent breaches than do damage control later, when the loss of PHI information may be inevitable and the extent of its dissemination unquantifiable. The risk assessment should identify the following:
- What PHI is;
- Where and how it is used, stored and shared;
- Who has access to it: employees and others in your network (vendors, consultants, etc);
- What verification process you have in place to ensure compliance is maintained across the board;
- What safeguards you already have in place and evidence they’re being used properly;
- What safeguards your company should implement and what training should be involved for everyone with access to PHI;
- A scenario for a mock breach to make sure the controls are in place, and to assess the potential extent and damage of such a breach;
- A review of concerns and suggestions from your staff to either discover potential threats, lapses in compliance or better ways to protect the information.
How to become HIPAA compliant
The following items offer some suggestions to help you prevent breaches and to stay or become HIPAA compliant.
1) Identify the protected information and ensure the staff knows what constitutes a breach and why it is important.
2) Have a closed system in which PHI is trackable through its entire lifecycle: creation or intake of a patient’s file, maintenance and storage, update and closure, and archival and destruction.
3) Have levels of access to restrict employees from protected data if they don’t use it in their work. Ensure passwords have a high level of complexity and end access to data as soon as an employee leaves your organization, even if it’s for a temporary leave. If possible and resources are available, have a tiered system of exposure, in electronic form and on paper, where the least amount of information is transmitted at any given point, and only doctors and other medical staff have access to full patient information. If a breach happens, then at best, the information exposed should be minimal and worthless for sale or ransom.
4) Avoid unnecessarily duplicating patient data, such as printing their information on paper, if it’s not absolutely necessary. If you need to print it, make sure it is tracked as thoroughly as any other PHI in your organization.
5) Vet your online fax provider, collection agency, billing software, or any kind of software or app you use to process or transmit PHI.
6) Encrypt your data and perform all of the required security updates as notified by your software programs. Install a good firewall and make sure your IT department or provider routinely checks on the stability and security of all of your systems. That being said, make sure that any IT engineers or consultants also understand that they’re also bound to HIPAA privacy rules.
7) Every time a new factor is added, such as a new employee or a transfer of data, a new assessment should be made to ensure that the PHI is not compromised in any way.
8) Conduct periodic checks on your vendors, consultants and other partners to verify that they’re also compliant.
9) Stay up to date with any changes or updates in HIPAA laws. The CDC website has a page dedicated to news on Public Health Law.
10) Healthcare organizations must document all HIPAA compliance activity including privacy and security policies, risk assessments and audits, and staff training sessions. It is recommended to designate a Privacy Compliance Officer within your company.
11) Don’t hesitate to take action immediately after a data breach. Any delay in properly notifying of the breach or in attempts to reduce its impact can attract a serious fine from the Office for Civil Rights. Some electronic breaches have become harder to detect nowadays because hacking is more sophisticated so no secure system is absolutely 100% hack-proof. The important thing is to do everything possible to protect the information and, if a breach does happen, to immediately take steps to notify relevant entities and involved individuals that a breach has occurred.
Because HIPAA compliance is an on-going process increasing in complexity all the time, there is no HIPAA certification requirement at this time. The Department of Health and Human Services (HHS) offers only HIPAA training materials for covered entities, and those materials are usually subject to change to match changes in the law. The CDC offers internships and externships in Public Health Law but only to law students. Third-party HIPAA certifications are available but none of them is endorsed or approved by the HHS even though HIPAA training is required for a covered entity to remain compliant. Taking all of that into consideration, a hybrid process of initial certification and continuing education would probably work best as it would ensure stakeholders have the minimum required HIPAA knowledge through certification and it would also fall in line with the regulatory changes in HIPAA laws to fit a changing society.