HIPAA and HITECH laws can get complicated in a hurry. So let's look at 15 things your business will need to do in order to be HIPAA compliant and properly handle your patients' protected health information (PHI).
These 15 steps aren't the only ones you'll have to take, but they represent a sizeable portion of your HIPAA responsibilities.
- Take reasonable measures to ensure confidentiality of PHI-related communications and technology.
- Only share PHI with other businesses when they need this data to perform their job (e.g., a medical biller should only see the necessary data about the patient's treatment and insurance coverage).
- If you share PHI with other businesses, require them to sign a Business Associates Agreement (see HHS's Business Associates Agreement template ), which explains what they must do to be HIPAA compliant.
- Notify patients how their data is used and with whom it's shared.
- Document all PHI disclosures.
- Train your staff how to properly handle PHI.
- Document your training and HIPAA procedures. Enforce these policies with employees.
- Take measures to prevent physical theft of computers, tablets, and other devices with sensitive data.
- Inform patients when you suspect their data has been breached.
- Report breaches affecting 500+ people to HHS and the media.
- Supply copies of PHI to patients who request it (you can be fined for not giving patients access to their own data).
- Old computers and devices must be disposed of carefully in order to ensure that no PHI remains on them.
- When you transmit data or store it outside your protected network, encrypt it.
- Use double-keying and other data entry techniques to minimize errors in PHI.
- Perform and document periodic risk analyses of your business to highlight your biggest data risks, what data needs to be protected, and what measures you can take to protect it (see HHS's Risk Analysis Requirements [PDF] ).
Given all the things you must do it be HIPAA compliant, it's easy to see how you could make a mistake or overlook a requirement. Even something as small as forgetting to delete data from old hard drives you throw away can lead to a data breach and a HIPAA fine. In fact, Affinity Health plan was fined $1.2 million when it forgot to delete hard drives on photocopiers it had leased and returned to the leasing company.
The Takeaway: It Takes Work and Vigilance to Avoid HIPAA Violations
How do you prevent HIPAA fines? Here are two things you can do to reduce the likelihood of a HIPAA violation:
- Hire IT professionals who understand HITECH and HIPAA privacy rules.
- Educate your employees about HIPAA guidelines.
It's best to work with IT consultants who know HIPAA regulations. Hire one of these tech gurus to ensure your network is up-to-code and install security software. For more on the technical requirements in HIPAA privacy rules, see our article "Making Sure Your Practice Is Compliant with HIPAA Security Standards."
Additionally, you'll need to take it upon yourself to institute HIPAA training among your employees. As we saw above, this can involve everything from teaching strategies for data entry to showing how to use HIPAA compliant email to transmit data.
For every healthcare business, HIPAA compliance is an ongoing challenge. It requires you to teach employees best practices and to be vigilant for potential security lapses.