What is HIPAA Law?
The Health Insurance Portability and Accountability Act of 1996 has been in effect for over 10 years, since April 13, 2003. Doctors, nurses and all medical professionals are aware of the strict rules on medical information privacy, the fact that the patients medical information belong to the patient and that HIPAA training for the entire staff will keep practices safer and more secure. However, since medical professionals implemented these regulations into their organizations in 2003, things have changed.
The law has evolved from its initial beginnings to include the ever-expanding digital environment. As of 2013, HIPAA has also expanded to give stricter penalties, more responsibility to business associates and required compliance to the HITECH breach notification requirements act. Yet, while the law has grown and evolved, medical practices have not, and as we covered in our previous article, “With HIPAA Law in Full Effect, Increased HIPAA Enforcement on the Way,” the investigations launched in the past 10 years by the OCR will look like child’s play compared to what is coming. So, it’s time for medical practices and their business associates to look at all their processes, security measures, and personnel to make sure that they are compliant to both the 2003 and 2013 version of the HIPAA Law.
As a web design agency with significant medical web design experience, we are very familiar with the contents of the HITECH breach notification requirements act as well as all parts of the HIPAA Law. Therefore, we’ve put together a 5 Step Path to Compliance with helpful tips and important information that you need to know to keep your money out of the OCR’s pocket.
1. Keep Up to Date with the HIPAA & HITECH Omnibus Law
As the medical profession and the way we store and use patient information changes, the HIPAA and HITECH Laws will change with it. In the past 5 years, these laws have been updated to reflect the constantly evolving technology of our society. Yet, a large majority of practices have failed to note these changes, leaving them vulnerable to security breaches and steep financial penalties. The U.S. Department of Health and Human Services (HHS) commonly schedules press releases to inform patients and providers about the law changes. Keeping an eye on legislation that directly affects your practice and making the necessary adjustments is an easy way to avoid strict HIPAA fines.
2. Make Sure Your Online Processes are Compliant
Online processes for a healthcare organization include everything from patient record keeping, patient communication, and physician communication to business associate communication, practice website, and employee systems. Basically, anything online or in the cloud that holds, transfers or interacts with patient health information is included. Keeping online processes compliant is more difficult than the other 4 steps because this generally requires the knowledge of a data security, medical web design or web development expert. Someone that knows the processes and how to effectively protect it. An easy way to do this is to work with an HIPAA certified web development company. These companies are experts in the HIPAA and HITECH Laws and have already implemented security measures that can be easily applied to your processes and communicated to your business associates.
3. Hold Your Business Associates To The Same Standards
One of the most significant developments in the HIPAA Law today is the increased responsibility for business associates. Previously, business associates were held to a fairly insignificant standard for patient health information. However, the recent law changes have given more responsibility to business associates for security breaches. This means that business associates are being held to similar standards as covered entities, requiring them to have administrative, physical and technological security protection for their medical clients information. Although the BA’s have an increased role, this does not mean the medical practices are void of all violations relating to them. It just means that medical practices must hold all of their business associates, including health insurance providers, CPA’s, medical web designers and more to the same standards that they hold to their own practice.
4. Constantly Look for Potential Security Breaches
Security breaches are defined as unauthorized acquisition, access, use or disclosure of unsecured PHI. By following steps 1, 2 and 3, you are already protecting yourself from a large number of security breach situations. However, another step to data security is keeping your eyes open for things that are not mandated by the HIPAA or HITECH laws. Some examples of this would be wrongly distributing or informing someone about a patient’s personal health information and wrongly monitoring employee interaction with personal health information. Wrongly distributing sensitive information can occur over the phone, email or in person, but training staff on the correct procedures can significantly reduce these incidents. When employees leave the medical practice or change positions, it is incredibly important to update authorization levels to reflect their clearance in the organization. Making certain information available to only the people who need it is key to PHI security.
5. Avoid Unnecessary Fines
Avoiding unnecessary fines is the easiest of the 5 steps to compliance. This is because it is simply being aware of the regulations imposed on your field and taking the correct steps to abide by them. Since 2003, the #1&2 causes of an investigation into practices has been security breaches and failure to implement the proper security measures to protect PHI. Simply taking the steps to protect your patients information, will, in turn, protect you from thousands of dollars in violations.