HIPAA compliance can be a frightening concept, especially because non-compliance penalties can incur fines of up to $250,000 depending on the seriousness of the infraction.
In most cases, it’s smart for providers to hire or train a HIPAA champion who focuses on security standards and oversees staff handling of patient protected health information (PHI).
However, it’s still important for health professionals to know the fundamentals of staff compliance standards in relation to the HIPAA Security Rule.
In 2002, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established, for the first time, a set of national standards for the protection of certain health information. The Privacy Rule addressed the use and disclosure of individuals’ health information by healthcare providers or organizations.
“The biggest challenge presented by HIPAA is to accurately and consistently protect individuals’ privacy without crippling your business,” said Christopher Fuller of TechRepublic.com. “That being the case, the best technologies available would be those that allowed you to share exactly the right information.”
While challenging, compliance is within reach for any practice as long as you make sure the following procedures are in place for your staff.
HIPAA Compliant Practices
- Practices must provide an up-to-date training program on the handling of PHI for employees performing health plan administrative functions.
- Make sure not to share sensitive PHI with others who shouldn’t have access, including co-workers or personal acquaintances.
- Avoid accessing a patient’s record unless needed for work or with written permission from the patient.
- Minimize occurrences of others overhearing patient information. Do not use a patient’s whole name within hearing distance of others.
- Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover charts so patient names are not visible. Never leave records and other PHI unattended.
- Close computer programs containing patient information when not in use. Practice management systems with automatic time out settings can be valuable in this regard.
- Limit e-mail transmissions of PHI to only those circumstances when the information cannot be sent another way.
- Always use a cover sheet when faxing PHI.
- Back up all disks that contain PHI. Storing your patients’ information in a HIPAA compliant cloud server is safer than using a localized server or paper documents, according to recent findings from the US Department of Health and Human Services.
- Assign different levels of security clearance to specific people. Role-based security prevents employees from accidentally changing or seeing information that does not pertain to their specific duties.
- Never share passwords between staff members. The HIPAA champion should assign passwords to all employees who are allowed access to PHI. Single sign-on PM systems use voice recognition or fingerprint detection along with user specific passwords to secure logins.
- Properly dispose of information containing PHI by shredding paper files.
- Make sure computers have updated anti-virus scanning software installed. This guarantees your practice is reasonably guarded against malicious software.
- It’s also important to make sure any vendors or other businesses associated with your practice are properly following HIPAA standards as well.
Simple enough? Not exactly. HIPAA standards are ever evolving to keep up with new technology and industry trends. For peace of mind, it may be a good idea to consider a HIPAA compliant, cloud-based practice management and EHR service to house and protect all of your medical information.
What kind of HIPAA training have you found useful when hiring new employees?