12 Best Practices to Keep Your Staff HIPAA Compliant

Complying with the Health Insurance Portability and Accountability Act (HIPAA) can be unnerving for medical groups and providers, especially when failure to comply can lead to fines from $100 all the way up to $50,000 or more per violation.

Private practices need the most corrective actions, according to HHS’ Office of Civil Rights (OCR), which enforces HIPAA. Next in order, general hospitals, outpatient facilities, pharmacies and health plans most often need correction.

Since 2003, OCR resolved 23,805 HIPAA violation cases through these corrective actions, changes in privacy practices or by lending their technical assistance. In 26 instances, HIPAA violation totaled almost $23 million in fines paid by hospital chains, national pharmacy chains, small provider offices, and others.

What can you do to keep yourself, your staff and your medical practice HIPAA-compliant?

Best practices include:

  • Maintain training of your staff to appropriately handle protected health information (PHI)
  • Designate a HIPAA champion to focus on security standards and educate other staff members.
  • Assign different staff different levels of security. This can prevent someone from inadvertently seeing information outside the scope of his or her work.
  • Never share passwords among staff.
  • Know when you can and cannot disclose PHI. Some providers take an overly cautious approach and treat HIPAA as a code of silence, even with family members, according to The New York Times July 17, 2015.
  • Remind staff not to access patient records unless necessary for work or with a patient’s written permission.
  • Close computer programs before walking away or moving on to another task. Practice management systems that automatically go offline after a set amount of time can help.
  • Secure electronic data using encryption, passwords and authentication, as needed.
  • Consider two-step verification. Examples include a password plus voice recognition, fingerprint or mobile phone verification. Apple ID two-step verification is an example.
  • Store any paper files with PHI in locked cabinets, shred when disposing of, and use a cover sheet when faxing.
  • Choose a HIPAA-compliant cloud server for your data security needs. The cloud is safer for patient records in many cases versus client servers, according to Government Health IT.
  • Ensure all third parties that contract with your medical group comply with HIPAA regulations as well. You may only be as safe as your most vulnerable business associate.

The most common HIPAA issues that trigger an investigation are, in order:

  1. Impermissible use or disclosure of PHI
  2. Lack of PHI safeguards
  3. Lack of patient access to their PHI
  4. Lack of administrative safeguards to protect electronic PHI
  5. Use or disclosure of more than the minimum necessary PHI.
    Source: HHS Health Information Privacy Enforcement Highlights

It’s not all bad news. OCR found no violations when it investigated 10,808 cases of alleged HIPAA violations since 2003.

In another 10,250 instances, OCR intervened early and provided technical assistance without starting an investigation. OCR “is not in the gotcha game,” Clinton Mikel, Chairman of an American Bar Association e-health and privacy group, told The New York Times.

Still feeling a bit uneasy about meeting evolving HIPAA compliance regulations? For reassurance, you could consider HIPAA-compliant, cloud-based practice management and EHR system to house and protect your medical information.

Staffing in the New Economy

Keep your staff focused on patient experiences

Download our free e-book

Start typing and press Enter to search