Are you a physician? Do you work in a private practice or a clinic setting? Are you a healthcare facility or a business that works with the healthcare industry?
If you collect, store, share, and/or use patient information, you must follow HIPAA rules. If you’re unsure about how to become HIPAA compliant, continue reading. This article will explain HIPAA and compliance strategies.
You will also learn about making sure your remote workers meet HIPAA standards.
What Is the HIPAA Law?
Congress passed The Health Insurance Portability and Accountability Act (HIPAA) in 1996. The U.S. Department of Health and Human Services (HHS) also passed the Privacy Rules to implement the Act. HIPAA ensures the following:
- Transfer and continuous health insurance coverage when someone changes or loses their job
- Decreases health care abuse and fraud
- Established standards for the handling of all health-related electronic billing and processing
- Mandates protection and confidential processing of all protected health information
HHS and the Office of Civil Rights (OCR) implement and enforce the HIPAA Privacy Rule. They have the authority to impose civil money penalties for violations.
What Is PHI?
Protected health information (PHI) is the central focus of HIPAA and the Privacy Rule. All healthcare providers and facilities must ensure safe and confidential handling of PHI. This rule includes all third parties and business associates working with the facility or provider.
What Is a Covered Entity or Business Associate?
The HIPAA Privacy rule strictly defines covered entities and business associates (CE/BA). These are organizations that interact and share PHI with your facility.
How to Become HIPAA Compliant
Today, it’s not enough to be HIPAA compliant. By law, you must be ready to show how you meet HIPAA compliance requirements. The following is a guide to ensure your readiness.
Search for possible PHI and electronic (ePHI) vulnerabilities and risk-mitigation strategies. Select an individual to develop and implement policies and procedures. Ensure all CE/BAs are HIPAA compliant before granting access to PHI or ePHI.
Educate and document that all employees who handle PHI have completed HIPAA training. Track staff compliance with established policies and procedures.
Set up physical safeguards including restricted access to areas that contain PHI. Maintain a record of who accesses PHI. Develop policies related to the transfer, disposal, and re-use of any electronic media.
Place barriers to limit visual and auditory access to PHI by unauthorized individuals.
Use access controls to PHI data via passwords or other secure methods. Protect the PHI from unauthorized changes and data breaches during electronic transmission. Develop procedures for the proper way to destroy PHI when appropriate.
CE/BAs must adhere to HIPAA Privacy Rules as well. Compliance assessments must occur on a routine basis.
What Is a HIPAA Security Breach?
HIPAA § 164.402 defines a breach as any acquisition, access, use, or disclosure of PHI. This rule excludes the following situations.
The first is an unintentional breach by staff members of authorized (CE/BA). It’s considered unintentional if the acquisition, access, or use was made in good faith.
The action must have occurred within their scope of authority. Last, it must not have led to further use or disclosure.
Inadvertent disclosure involves the access and sharing of PHI between authorized persons at a CE/BA. The PHI must not have been used or disclosed in any further manner.
Last, the CE/BA must, in good faith, believe the unauthorized person who received the PHI won’t keep or use it.
Steps to Take If a Breach Occurs
If someone in a facility suspects a possible breach, an investigation must take place. They must determine if the breach meets HIPAA’s “low probability of compromise” threshold. Facilities should assume a breach if they suspect a compromised PHI privacy and security.
The “date of discovery” describes the date that a CE/BA or facility finds a credible breach. If the breach involved over 500 people, notify a prominent media outlet in the affected area. Also, notify the HHS. All involved individuals must also receive a notification.
In cases involving less than 500 people, the facility/CE/BA can keep a log of relevant data. They must notify HHS within 60 days after the end of the calendar year.
How Do You Prevent Security Breaches?
HIPAA only mandates initiation of the breach notification process for unsecured PHI. Thus, let’s turn our attention to breach prevention.
Develop policy and procedure manuals for the following:
- Disaster recovery
- Patient privacy
Also, include manuals covering provider, employee, patient, and CE/BA procedures.
Complete a risk assessment of physical, technical, and personnel vulnerabilities. How many people and devices have access to PHI? What natural disasters occur in your area that might compromise security?
All employees must complete privacy training on a routine basis. How will you structure this training? How will you document staff participation?
Steps to Take to Ensure HIPAA Compliance with Remote Workers
Today’s workplace has changed dramatically. Many individuals now work from home or other remote locations. They may travel for their work activities as well.
This can make HIPAA compliance more challenging. The following suggestions can help ensure the protection and compliance of remote workers.
- Ensure home wireless routers have encryption capability
- Change wireless router passwords on a set schedule
- Ensure all personal devices with access to PHI are encrypted and password protected
- Don’t allow access to the facility network until devices are configured, have firewalls, and antivirus protection
- Encrypt PHI before transmission
- Mandate that all employees use a VPN when remotely accessing the company network
- Provide all employees with a HIPAA-compliant shredder
- Provide lockable file cabinets or safes to store hardcopy PHI
Develop policies and procedures outlining expectations for employee work protocols. Prior to beginning remote work, have employees sign a Confidentiality Agreement. If you allow employees to use their own device, establish a Bring Your Own Device Agreement.
Behavioral protocols may include the following.
- Never allow anyone else to use your device that contains PHI
- Mandate adherence to media sanitization policies
- Mandate that employees disconnect from the company network when they stop working.
- Set up IT configured timeouts that disconnect the employee from the network
Review and document all remote access activity.
Are You a Healthcare Provider or in Charge of a Health Facility?
All businesses that collect, store, process, and share PHI must maintain HIPAA compliance. This article described how to become HIPAA compliant. It also addressed special considerations for remote workers
HIPAA Security Suite provides solutions to assist healthcare organizations and CE/Bas meet HIPAA regulations. We also help you ensure ongoing compliance. Contact us today to ask questions and learn more about our services.