HIPAA Do’s and Don’ts for Employers

HIPAA Do's and Don'ts for Employers

The Health Insurance Portability and Accountability Act (HIPAA) applies to medical providers, insurance companies, and business associates of all sizes. The massive scope of the law and its requirements to fully comply with all parts means there is no “one size fits all” plan for HIPAA compliance.

However, some suggestions apply to organizations of any size and the employees who work for them. Here are a few HIPAA do’s and don’ts for employers and employees.

HIPAA Do’s for Employers

When thinking about HIPAA compliance, the most important thing to remember is that it’s ultimately all about patients’ protected health information (PHI). That is literally why the law was written– to provide standards for protecting the privacy and security of PHI in physical and electronic (ePHI) formats and to guarantee that patients have a right to access their own PHI. 

Here are three HIPAA do’s for employers to remember:

1. Do a Security Risk Assessment (SRA) Annually
The first reason to conduct an SRA annually is that the law requires it to be done regularly, and best practice standards have defined “regularly” to mean once per year.

Covered entities like healthcare providers and insurance companies must complete six individual audits as part of a complete SRA, including:

  • The Asset & Device audit
  • The IT Risk Analysis Questionnaire
  • The Physical Site Audit
  • The Security Standards Audit
  • The Privacy Standards Audit 
  • HITECH Subtitle D Privacy Audit

Business Associates that must take possession of PHI to provide services for covered entities can skip the Privacy Standards audit, but they must complete the other five.

The second reason to complete an SRA annually is that it gives an organization a snapshot of where there may be gaps that could leave PHI vulnerable. Identifying these gaps and creating plans to eliminate them is good for patients and wise for your organization. Failure to complete a security risk assessment is one of the most common violations found in HIPAA audits.

2. Do Document Everything
If you have done everything required to fulfill every part of the HIPAA rules and regulations, you will still fail a HIPAA audit if you can’t prove you’ve done it.

That means keeping a record of all SRAs, gap remediations, HIPAA  policies, employee training and attestations, business associate agreements, and possible breach incidents. It also means updating these items as needed and documenting those changes when they occur.

HIPAA’s attitude is that if you can’t prove it, it never happened. So make sure you can prove it.

3. Do Respond to HIPAA Right of Access Requests Promptly
Under HIPAA, when a patient makes a written request for their medical records to a healthcare provider or insurance company, the covered entity has 30 days to respond. Even if they are “difficult” patients, and even if they have outstanding balances on accounts, a healthcare provider must provide the records in a timely manner.

The HIPAA Privacy Rule considers patient records held by a doctor to be patient property. There is no justifiable reason to refuse to grant a patient right of access request. HIPAA auditors with the Office for Civil Rights (OCR) have made right of access enforcement a priority, resulting in 41 fines and settlements in the past three years. In the last 14 cases, the average HIPAA fine for violations was $55,785.

Make Sure You’re HIPAA Compliant

We can help you navigate all of HIPAA do’s and don’ts.

Learn More!

HIPAA Don’ts for Employers

While there are many things employers shouldn’t do when it comes to HIPAA compliance, there are a few that stand out:

1. Don’t Allow Employees to Share Passwords
This activity undermines your ability to comply with two major provisions of HIPAA–the HIPAA Privacy Rule and the HIPAA Security Rule.  

The HIPAA Privacy Rule defines standards for protecting the privacy of patient PHI by limiting the unauthorized release of data. Unauthorized release to individuals outside your practice is a blatant violation of this rule. 

But the Privacy Rule also applies to users inside your organization. The HIPAA minimum necessary standard states that users should only have access to the minimum amount of PHI needed to perform their jobs. That means billing clerks should not have access to a patient’s entire record, or nurses should not peek at records for patients they are not responsible for treating. If employees share passwords, you cannot control access to patient records.

Because sharing passwords violates widely-accepted practices for data security, it would also violate the standards of the HIPAA Security Rule. Simply put, don’t share passwords.

2. Don’t Ignore the Office for Civil Rights
As we mentioned earlier, OCR is responsible for enforcing HIPAA. Their investigations can be triggered by breach notifications, random audits, or by patient complaints.

If OCR contacts you, the worst thing you can do is ignore them. In the past year alone, there have been at least two instances of doctors ignoring multiple requests for information from OCR auditors concerning right of access complaints.

As a result, each doctor was fined $100,000 for the violations. By comparison, a mental health practice responded quickly and received a $3,500 penalty. 

The choice is yours. OCR auditors will not go away if you ignore them. Doing so will cost you in the long run.

One Final HIPAA Don’t: Don’t Go it Alone

Compliancy Group has nearly 20 years of experience in helping medical professionals from all specialties navigate HIPAA compliance in a way that simplifies the process and fulfills every requirement of the law. Let us be the cure for your HIPAA headaches.