The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996, can be difficult to navigate. The law was written intentionally vague as it is meant to apply to anyone working in healthcare, whether it is a one doctor practice or a large hospital. The following will clarify what HIPAA medical entails.
- Learn the terminology
- HIPAA: the Health Insurance Portability and Accountability Act, enacted in 1996, established industry standards on the privacy, security, and electronic transmission of PHI.
- PHI: protected health information is any individually identifiable health information such as name, address, date of birth, medical history, and financial information.
- Privacy Rule: sets standards on the protection of PHI transmitted or held in any medium. Privacy guidelines include patient authorization for use and disclosure of PHI and a Notice of Privacy Practices (NPP).
- Security Rule: sets standards on safeguards for PHI confidentiality, availability, and integrity. Security guidelines include implementing physical, technical, and administrative safeguards.
- HITECH: the Health Information Technology for Economic and Clinical Health Act enacted in 2009, strengthens the privacy and security rules by promoting meaningful use of Health Information Technology (HIT).
- Enforcement Rule: relates to compliance, investigations, and the civil monetary penalties in relation to those violations.
- Breach Notification Rule: states that in the event of a data breach, you must report the incident. If the breach is a “meaningful breach,” affecting more than 500 individuals, you must notify the government, media, and affected persons within 30 days. In the case of a “non-meaningful breach,” affecting less than 500 individuals, you have until the end of the calendar year for notification and do not need to alert the media. However, many states have their own breach notification rules that are more stringent than the federal law. Many of the state rules mandate that any organization operating in their state, even if it is not their main area of operation, must adhere to state breach notification laws.
- Protect PHI
As part of HIPAA medical law, organizations are mandated to have physical safeguards in place protecting the PHI that they’re working with. Physical safeguards have to do with your security in your physical location. You must store PHI on an encrypted server and ensure that only authorized personnel have access to it. In addition, anyone entering an area that may be able to view PHI must sign a confidentiality agreement, this applies only to those individuals who are not handling PHI such as a cleaning crew or plumber.
- Implement device management
All devices that access PHI should be encrypted and password protected. Each individual must have unique login credentials, you should never share your password.
- Instill administrative policies
HIPAA medical regulations require PHI access to be limited to only those who need access as part of their job. As such, organizations must have policies and procedures in place for who can access PHI. Staff must also understand that PHI is confidential and should not be discussed in areas in which they may be overheard.
- Adopt technical safeguards
Email is a convenient and easy way to communicate, however you should never send an unencrypted email to external entities. You may however use unencrypted email to send PHI with your internal network.
- Standardize use and disclosure of patient files
The HIPAA Privacy Rule established the “minimum necessary rule” which states that PHI should only be accessed by those that need to access it as part of their job. Additionally, you must only access PHI in relation to a task such as a billing service accessing a patients’ payment information.
- Be conscious of your digital footprint
Many electronic medical record (EMR) services enable administrators to monitor who accesses what and when.
As stated previously, organizations that experience a data breach have an obligation to report the incident, this applies to employees as well. In turn, employees must report threats or concerns to their supervisor. Employees are protected under the “Whistleblower Act,” they must be able to report breaches anonymously without fear of repercussion.
When you are unsure if something is HIPAA compliant, it is always better to ask an expert rather than assume.
Would you Like Help Navigating HIPAA Medical?
Compliancy Group can help simplify your compliance allowing you to confidently focus on your business. Our cloud-based compliance software the GuardTM can be accessed from any device connected to the internet. In addition, the Guard stores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA Medical compliance needs!