However, some suggestions apply to organizations of any size and the employees who work for them. Here are a few HIPAA do’s and don’ts for employers and employees.
HIPAA Do’s for Employers
When thinking about HIPAA compliance, the most important thing to remember is that it’s ultimately all about patients’ protected health information (PHI). That is literally why the law was written– to provide standards for protecting the privacy and security of PHI in physical and electronic (ePHI) formats and to guarantee that patients have a right to access their own PHI.
Here are three HIPAA do’s for employers to remember:
1. Do a Security Risk Assessment (SRA) Annually
The first reason to conduct an SRA annually is that the law requires it to be done regularly, and best practice standards have defined “regularly” to mean once per year.
Covered entities like healthcare providers and insurance companies must complete six individual audits as part of a complete SRA, including:
- The Asset & Device audit
- The IT Risk Analysis Questionnaire
- The Physical Site Audit
- The Security Standards Audit
- The Privacy Standards Audit
- HITECH Subtitle D Privacy Audit
Business Associates that must take possession of PHI to provide services for covered entities can skip the Privacy Standards audit, but they must complete the other five.
The second reason to complete an SRA annually is that it gives an organization a snapshot of where there may be gaps that could leave PHI vulnerable. Identifying these gaps and creating plans to eliminate them is good for patients and wise for your organization. Failure to complete a security risk assessment is one of the most common violations found in HIPAA audits.
2. Do Document Everything
If you have done everything required to fulfill every part of the HIPAA rules and regulations, you will still fail a HIPAA audit if you can’t prove you’ve done it.
That means keeping a record of all SRAs, gap remediations, HIPAA policies, employee training and attestations, business associate agreements, and possible breach incidents. It also means updating these items as needed and documenting those changes when they occur.
HIPAA’s attitude is that if you can’t prove it, it never happened. So make sure you can prove it.
3. Do Respond to HIPAA Right of Access Requests Promptly
Under HIPAA, when a patient makes a written request for their medical records to a healthcare provider or insurance company, the covered entity has 30 days to respond. Even if they are “difficult” patients, and even if they have outstanding balances on accounts, a healthcare provider must provide the records in a timely manner.
The HIPAA Privacy Rule considers patient records held by a doctor to be patient property. There is no justifiable reason to refuse to grant a patient right of access request. HIPAA auditors with the Office for Civil Rights (OCR) have made right of access enforcement a priority, resulting in 41 fines and settlements in the past three years. In the last 14 cases, the average HIPAA fine for violations was $55,785.