If you run a business in the health care sector, you already know you must protect your consumers’ health information.
But how do you avoid potential problems while trying in earnest to comply with HIPAA (the Health Insurance Portability and Accountability Act)? Proceed with confidence by using these three tips.
Understand Why HIPAA Matters
Passed by Congress in 1996, HIPAA likely represents the most far-reaching legislation of its kind. Its purpose is to protect patients — not burden, annoy, or confuse health-care-related businesses. It does this two ways:
- Efficiency — HIPAA improves the efficiency of health care delivery by standardizing the exchange of electronic data and streamlining transactions.
- Protection — HIPAA protects the confidentiality and security of personal health data by setting and enforcing standards.
Evolution
The initial aim of HIPAA was to make health insurance more portable for those changing jobs and to strengthen protections against fraud and abuse.
As technology and health care evolved, HIPAA evolved, too:
- In 2000 and 2002, HIPAA Privacy Rule amendments strengthened privacy standards for individually identifiable health information, addressing what patient health information is protected and how the information can be used and disclosed.
- In 2009 the Health Information Technology for Economic and Clinical Health Act — the “HITECH” Act — was enacted to further address issues involving the electronic transmission of health information.
- In March 2013, the U.S. Department of Health and Human Services issued additional privacy rules, with a requirement for compliance by Sept. 23, 2013.
- In 2016 audits debuted as part of the HITECH Act, making any HIPAA-regulated provider potentially subject to audits of their privacy, security, and breach-notification protocols.
Know the Three Areas of HIPAA Compliance
The goal of the security portion of HIPAA is to protect private health data while allowing covered entities the flexibility to implement policies, procedures, and technologies appropriate to their size and structure. The security rule comprises three areas of compliance: technical, administrative, and physical.
Technical
Technical safeguards involve access control, audit control, integrity, person or entity authentication, and transmission security. Some examples:
- Controlling access with unique user identification, emergency-access procedures, automatic logoff, encryption, and decryption
- Protecting records from improper alteration or destruction using view-only versus update-access mode, determining who can delete a patient file, and knowing state requirements for records retention
- Having protocols for verifying that a person or entity seeking access to protected health information is the person or entity claimed
Administrative
Administrative safeguards include a variety of steps, including some related to team compliance:
- Keeping communication about patient information to a minimum when in public areas
- Locking computers when not in use, logging out after every session, and using only individual passwords at workstations
- Having strong policies and procedures regarding the use of social media in the workplace
Physical
Physical safeguards involve various considerations such as:
- Restricting physical access to computers, mobile devices, servers, files, and other sensitive equipment or documents
- Implementing access control and validation procedures concerning badges, keys, and key cards
- Having a facility security plan to prevent unauthorized access, tampering, and theft
Stay Up to Date
HIPAA compliance isn’t a one-time event. Stay atop any changes in the law or regulations and work to continuously improve your compliance.
Annual trainings are crucial to staying current, providing an opportunity to:
- Roll out HIPAA updates, integrating them into your policies and protocols
- Check in with team members regarding questions, challenges, and ideas related to compliance
- Align your team with your practice’s standard operating procedures