To be HIPAA-compliant has never been more important to the healthcare industry than today. With the increasing number of data breaches and the fast-paced modernization of healthcare processes, healthcare businesses of all sizes should comply strictly with HIPAA standards to safeguard sensitive, private patient data.
That said, HIPAA consulting company Techumen and other similar companies share a brief HIPAA compliance checklist, covering the basics you should know.
1. Understanding The HIPAA Privacy Rule
First on your compliance checklist is to understand what you should be compliant about. The HIPAA Privacy Rule is the main component that all applicable businesses familiarize themselves with. It explains how and when authorized personnel can access the Protected Health Information (PHI). It includes healthcare professionals, lawyers, administrators, and just about anyone within your small healthcare business’s information ecosystem.
The rule mandates appropriate safeguards and precautions to protect the privacy of PHI and sets limits on the use and access of the said information. It also provides patients with certain rights over their PHI, including the right to request corrections or obtain copies of records.
2. Does The Privacy Rule Apply To You?
Next, you will need to assess and confirm if the Privacy Rule does apply to your small healthcare business. Keep in mind that the Privacy Rule protects PHI by regulating the practice of all the covered entities, from nurses and doctors to insurance providers and lawyers.
Covered entities are organizations and people that hold and process PHI data for their patients or customers. In general, these includes:
- Healthcare Providers: Doctors, psychologists, dentists, chiropractors.
- Healthcare Organizations: Clinics, hospitals, nursing homes, pharmacies.
- Health Insurance Companies: HMPs, government-provided health care plans, company health plans
- Healthcare Clearinghouses: These entities process the healthcare data from another entity into standard form.
3. Securing The Right Data
Once you determine if the HIPAA rule applies to you, you want to know what types of patient data you need to protect. Then, start putting the proper privacy and security measures in place.
HIPAA defines PHI as the ‘identifiable health information’ of an individual stored or transmitted by the covered entity or their business associates. It can be in any form, from verbal communications to paper and electronic copies.
It further defines PHI as the individual’s past, present, and future health conditions, the details of the care provided to the individual, and the payment information that identifies the individual.
Such data usually includes:
- Name and birthdate
- Contact information such as email, telephone numbers, and physical address
- Dates about an individual’s birth, death, schedule of treatment, and medical care
- Medical record numbers
- Social security number
- Photographs and digital images
- Voice recordings and fingerprints
- Any form of unique account or identification number
4. Recognizing Common HIPAA Violations
HIPAA violations may occur in any number of ways. Thus, it’s also critical that you understand what a violation is and how it happens. Generally, the most common violation is internal and not caused by a cybercriminal or outside hacker.
Typically, violations stem from partial compliance with the Privacy Rule or negligence of covered entities. Not properly configuring software for HIPAA compliance is an example of a non-intentional violation. A paper file misplaced or a workstation left unlocked in a public setting is not malicious but violates the HIPAA Privacy Rule.
Here are other cases that can lead to HIPAA violations:
- Discussing PHI in public
- Sending PHI to the wrong people or business partner
- Posting PHI to social media
- Physical office break-in
- Ransomware, malware, or hacking
- Theft of equipment and devices that stores PHI
The violations that your healthcare business is most at risk for will depend on the nature of your practice and relationship with patients and their data.
5. Reporting Breaches And Violations
The HIPAA Breach Notification Rule requires that any affected client or patient be notified that their PHI may have been compromised, stolen, or merely exposed to such risks. How and when you need to inform your patients will depend on the nature of the breach.
For a minor breach, which affects fewer than 500 people within a single jurisdiction, the Breach Notification Rule requires specific actions. You can gather and report all minor violations to the regulators once a year, within 60 days of the year’s end. Meanwhile, affected individuals should also be notified within 60 days after the breach took place.
For a major breach that affects over 500 individuals, it should be reported to the Department of Health and the Human Services Offices of Civil Rights within 60 after the actual breach. Also, you need to notify the affected parties upon discovery thereof.
Furthermore, major breaches should be reported to local law enforcement agencies right away. You also need to coordinate with the local media organizations and agencies to notify the affected parties.
To report a HIPAA violation, you need to provide:
- A list of the PHI made available
- An explanation of how it occurred
- The evidence that the PHI was viewed
- Who saw the unauthorized data; and
- The mitigation steps that are taken so far
HIPAA was created to ensure that patients’ PHI stays protected. And by following the above HIPAA checklist, your healthcare organization should be able to take all the steps to protect healthcare data.