There are many reasons why protected health information (PHI) is safeguarded by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). First, nothing distinguishes our unique identities from one another more than our bodies. We can be clearly identified by our fingerprints, irises, dental patterns, scars, and medical histories.
The second reason why covered entities (CEs) and business associates (BAs) must be HIPAA-compliant is because PHI is indelible and has high utility. That is, unlike credit card information that becomes useless once the account tied to it is closed, medical records are unchanging and regularly used by medical professionals. This means:
- A record holds value for a long time – A record cannot be expunged so that it can no longer be abused.
- It’s difficult to identify if a record is stolen and used for fraud – PHI usually contains sufficient personally identifiable information that easily enables one to commit identity theft.
Last but not least, PHI is easy to abuse, and the abuse is very hard to prevent or stop. Medical matters are often urgent or critical in nature, so delivery of care is often prioritized above the prevention of fraud. To illustrate, regular patients use PHI to obtain prescriptions for life-saving medicines; and cybercriminals may use it to purchase drugs that contain highly controlled substances. Other PHI abusers may make fake medical claims to receive treatment. All in all:
- Appropriate care may be diverted from those who are meant to receive it.
- Healthcare and health insurance systems lose money and find it more difficult to operate properly.
- Drug abuse proliferates and adversely impacts families and communities.
Mitigating these is the spirit of HIPAA, but given that IT progresses at a rapid pace and legal measures lag behind considerably, mere compliance to the letter of the law is not enough. HIPAA compliance must be seen as the baseline or foundation upon which comprehensive health data security must be built. With that said, let’s take a look at the primary steps you must take to be HIPAA-compliant.
Mitigating these is the spirit of HIPAA, but given that IT progresses at a rapid pace and legal measures lag behind considerably, mere compliance to the letter of the law is not enough.
1. Create policies for protecting PHI
Policies regarding the stewardship of PHI must be included in the company rules and regulations of CEs and BAs. These policies must be documented; communicated to relevant parties, such as staff, third-party partners, and patients; and updated in a timely fashion.
Staff must be educated about HIPAA during onboarding and undergo annual HIPAA compliance training. Patients must also be made aware of their healthcare provider’s policies via a Notice of Privacy Practices, as well as their rights with regard to their PHI and medical records.
2. Designate a Privacy Compliance Officer and a HIPAA Security Officer
The Privacy Compliance Officer oversees the creation of privacy policies and ensures that policies are always implemented and annually updated. Larger organizations will have officers who form Privacy Oversight Committees to better handle the breadth of HIPAA compliance across all departments and third parties such as health maintenance organizations and health insurance companies.
The HIPAA Security Officer, on the other hand, is more focused on developing and implementing policies for keeping the integrity of electronic protected health information (ePHI) intact. Their responsibilities include:
- Managing access to systems on which ePHI is utilized
- Securing ePHI transmission
- Training staff how to keep ePHI secure
- Securing the physical premises of the healthcare facility
- Conducting risk assessments
- Preparing and implementing a disaster recovery plan
3. Use the HHS’ Security Guidance Materials
To help CEs and BAs implement HIPAA security standards in an appropriate and cost-effective manner, the US Department of Health and Human Services (HHS) came up with educational papers and other web-based materials.
Business data protection is non negotiable these days. To learn how you can better protect your business, download our FREE eBook, Data Breaches: A Definitive Guide for Business Owners.
4. Regularly conduct self-audits and risk assessments
To identify compliance gaps, CEs and BAs must conduct audits of all their safeguards: administrative, physical, and technical. Once such gaps are pinpointed, organizations must make remediation plans that specify how and when they will reverse their HIPAA violations.
5. Ensure that Business Associate Agreements are kept
Another important responsibility of the Privacy Compliance Officer is ensuring that when a CE works with a BA, both parties enter a Business Associate Agreement. This agreement specifies the kinds of PHI the business associate may handle, and that both sides commit to do all they can to keep PHI safe and maintain its integrity.
6. Develop and implement a breach notification process
As per the HIPAA Breach Notification Rule, all PHI breaches must be reported to the Office of Civil Rights (OCR). Furthermore, if a patient’s personal data was compromised, that patient must be notified. To standardize breach reporting and notifications, organizations must document their process and specify how they will comply with the rule.
7. Properly document all HIPAA compliance efforts
Comprehensive HIPAA compliance documentation helps organizations fulfill everything from implementation to self-audits to staff training. Beyond being useful internally, your documentation is what the OCR will review during their regular audits to determine how compliant you are. And during HIPAA violation complaint investigations, the OCR will use your documentation as one of the primary determinants of your culpability. This is why it pays to always maintain comprehensive documentation and to regularly review and update it.
As previously stated, HIPAA compliance is not the end, but rather one of the primary steps toward completely maintaining the safety and integrity of PHI. To accomplish this, you need [company_short]. Many healthcare providers in Kansas City trust us to not only help them be HIPAA compliant, but also to provide them with comprehensive cybersecurity. To learn more, send us a message or call 816-326-1143 today.