Running just about any business in the health care sector comes with having to protect consumers’ health information, so how can you avoid potential problems while trying to comply with the federal Health Insurance Portability and Accountability Act? Gain confidence and get in the know with three key HIPAA compliance tips.
1) Understand Why HIPAA Matters
Now in its 20th year, the Health Insurance Portability and Accountability Act passed by Congress in 1996 likely represents the most far-reaching legislation of its kind.
Many may see the law as burdensome, complex, annoying, hard to understand, or even maddening, but it comes down to one thing that everyone can agree is important: protecting patients.
The law, commonly called “HIPAA,” is designed to help protect patients by:
- Improving health care delivery efficiency through standardizing electronic data interchange and streamlining transactions
- Protecting the confidentiality and security of personal health data through the setting and enforcing of standards
Though initially aimed to ease the portability of health insurance for individuals changing jobs and to strengthen protections against fraud and abuse, HIPAA evolved into legislation that also encompasses:
- Greater administrative efficiency
- Reduced paperwork
- Confidentiality and privacy of electronic information
The law continues to evolve:
- In 2000 and 2002, HIPAA Privacy Rule amendments strengthened privacy standards for individually identifiable health information, addressing what patient health information is protected and how the information can be used and disclosed.
- In 2009 the Health Information Technology for Economic and Clinical Health Act — the “HITECH” Act — was enacted to further address issues involving the electronic transmission of health information.
- In March 2013, the U.S. Department of Health and Human Services issued additional privacy rules, with a requirement for compliance by Sept. 23, 2013.
- In 2016 audits debuted as part of the HITECH Act, making any HIPAA-regulated provider potentially subject to audits of their privacy, security, and breach notification protocols.
Know the Three Areas of HIPAA Compliance
HIPAA comprises three areas of compliance: technical, administrative, and physical.
Technical safeguards involve access control, audit control, integrity, person or entity authentication, and transmission security. Some examples:
- Controlling access with unique user identification, emergency access procedures, automatic logoff, encryption, and decryption
- Protecting records from improper alteration or destruction using view-only versus update-access mode, determining who can delete a patient file, and knowing state requirements for records retention
- Having protocols for verifying that a person or entity seeking access to protected health information is the person or entity claimed
Administrative safeguards include a variety of steps, including some related to team compliance:
- Communication — keeping communication about patient information to a minimum when in public areas
- Password security — locking computers when not in use, logging out after every session, and using only individual passwords at workstations
- Social media — having strong policies and procedures regarding the use of social media in the workplace
Physical safeguards involve various considerations such as:
- Restricting physical access to desktop computers, laptops, servers, printers, copiers, smartphones, files, and other sensitive equipment or documents
- Implementing access control and validation procedures concerning badges, keys, and key cards
- Having a facility security plan to prevent unauthorized access, tampering, and theft
Stay Up to Date
It’s important to remember that HIPAA compliance isn’t a one-time event; it calls for continuous improvement and the ability to stay atop any changes in the law or regulations.
Annual trainings are crucial to staying current, providing an opportunity to:
- Roll out HIPAA updates, integrating them into your policies and protocols
- Check in with team members regarding questions, challenges, and ideas related to compliance
- Align your team with your practice’s standard operating procedures