According to the US Department of Health and Human Services (HHS), there were over 600 healthcare data breaches in 2021. Over 40,000 records were either stolen or exposed.
Federal law requires healthcare providers to protect their patient’s personal information. How effective are your HIPAA compliance measures?
Check out our HIPAA compliance checklist in this article to make sure you’re on the right track.
What Is HIPAA?
HIPAA is an abbreviation for the Health Insurance Portability and Accountability Act (HIPAA.) These are federal laws that control how patient healthcare data is stored.
HIPAA also summarizes how to use and disclose protected health information (PHI.) The Act also updates the transfer of this data and protects it from fraud or theft.
What Does ‘Protected Health Information’ Mean?
Protected health information (PHI) is the information that personally identifies a patient or client. Examples of this information include names and addresses.
PHI protects patient phone numbers and social security numbers. It can also include facial photos and credit card information as well.
Any electronic PHI that’s sent, viewed, or accessed falls under HIPAA guidelines. This electronic information is called electronically protected health information or ePHI.
Who Does HIPAA Apply To?
HIPAA pertains to two kinds of organizations. These organizations are called a business associate or a covered entity. These organization types are outlined below:
Business Associates
HIPAA business associates don’t see patients. Instead, business associates create, receive, or send patient ePHI.
Business associates range from accountants to professional shredding companies. Medical billing companies are also defined as business associates.
Covered Entities
Covered entities are those organizations that create, collect, or send ePHI records. Covered entities are those businesses that directly interact with patients. Covered entities include medical professionals like therapists and doctors.
HIPAA applies to businesses that transmit their patients’ health data in all forms. This information might be sent as referrals to other healthcare providers. It’s also sent regularly to insurance companies for payment.
Subdivisions of HIPAA
HHS drafted these laws that protect patient health data. HIPAA contains the following subdivisions:
HIPAA’s Privacy Rule
The Privacy Rule outlines patients’ rights to view their ePHI. This rule also covers any healthcare provider’s right to see a patient’s ePHI as well as their right to refuse any access at all. The Privacy Rule also outlines what release forms organizations must use to comply with the rule.
HIPAA’s Security Rule
The Security Rule contains the standards for managing and transmitting patient ePHI. This HIPAA Security Rule covers all physical, administrative, and technical protections of patient ePHI.
HIPAA’s Breach Notification Rule
The Breach Notification Rule outlines the national standard to adhere to when a data breach exposes a patient’s records. HIPAA requires organizations to report any data breaches, regardless of their size. Specific procedures for reporting these events will depend on the type of breach.
HIPAA Compliance Checklist
Is your company at risk of any HIPAA violation penalties? If you’re not sure, you need to act right now.
Use this helpful HIPAA compliance checklist to guard your client’s ePHI in the physical, administrative, and technical aspects of your business. Feel free to add more protection as your compliance program comes to life.
1. Manage Physical Protections
Physical protections can range from safeguarding equipment to actual office physical locations that store or processes ePHI. These safeguards can help protect sensitive records from natural hazards as well as physical intrusion.
Make sure your office IT equipment has devices installed that limits ePHI access to authorized users only. This equipment as well as your servers should have malware protection uploaded and updated regularly.
Your team should only create, store, or revise ePHI on equipment that meets your security requirements. Computer monitors should be positioned throughout your office so that unauthorized persons can’t read them.
Direct your team to log off, lock or secure their work computers before they leave the office for the day. They should also secure their computer when it’s unattended.
If your team uses mobile devices (smartphones, laptops, tablets), make sure any ePHI isn’t stored on these devices. Advise them not to store ePHI on removable storage media such as discs or USB drives.
2. Develop Administrative Protections
Administrative protections address the behaviors of personnel who can view, process, or distribute ePHI. You can’t watch your team’s every move. But you can implement administrative safeguards that help you monitor their handling of ePHI through careful programming of your information systems.
Examples of these safeguards include keeping a log of saved, privileged user actions. Ask your administrative staff to review these logs and let you know if there are any modifications made by one of the users. Keep these records for six months or longer.
You can also create a log to report any security-related events. These events could include system failures, connection failures, or access rights changes. Make sure you keep these logs for no less than six months.
3. Implement Technical Protections
Technical protections can help safeguard and control access to information. These safeguards can range from protocols for web hosting to data encryption.
You may use different servers to handle certain tasks like data storage or web hosting. Use an enterprise web hosting solution that will give you the tools you need. These tools will help support patient privacy and separate access information and other permissions.
Make sure your patient billing and personal data are kept on encrypted database tables. Any images or documents you have that were uploaded by your patients should also be in an encrypted form.
Configure each server with different encryption keys and other permissions. Telemedicine sessions should also be transmitted over decoded streams. Schedule regular security assessments to prevent cyber threats and other thefts of private data.
What Are Your Next Steps?
If you’re ready to secure HIPAA compliance for your company, you can start today. Follow this HIPAA compliance checklist. Bring your company’s greatest minds together to draft your plan for securing your company going forward.
Don’t forget to check out our website for more helpful advice. You can schedule a HIPAA high-tech assessment with us today. We’re here to help your company reach its highest potential.