Many medical businesses know that the Health Insurance Portability and Accountability Act or HIPAA, as it is commonly known, can be a major source of frustration, hard work, and confusion when it comes to compliance with retaining patient health data privacy. Sticking to the letter of the law in HIPAA compliance can be incredibly challenging. Here is some advice for doctor’s offices and other providers looking to get kosher in terms of keeping up with what this legislation requires.
When it comes to HIPAA compliance, a minimum plan is better than none. A basic policy forbidding employees to release patient health data and covering paper documentation and online viewing in the office is a good start. Make this policy a part of your New Hire Orientation Packet. Some of the best policy practices, however, incorporate items related to security access and protocol, non-use of public servers or unsecured Internet hotspots, and reporting infringements without retaliation from the employer. A solid IT team will assist you with implementation and policy for your technology resources. You will also want to confirm you meet your state’s privacy laws and that your service providers meet compliance at a federal and state level.
One key aspect of HIPAA relates to information storage - on site, online or off premises. If this is paper documentation, a simple lock and key system may suffice with a limited number of users. For online systems, it’s important to train staff on how to prevent unauthorized access. Each computer station, application or program, and websites requiring a login should be accessed by each individual with his or her own unique username and password. Be sure that if the employee voluntarily leaves or is terminated, you have a procedure in place to deactivate or delete access to all systems.
Most plans for HIPAA compliance work best when everyone is in the loop. From doctors to front desk clerical workers, everyone should know what the business policy is and how to achieve it together. When you are creating your policy or revise, a facilitated group meeting can raise points and identify potential risks that may have otherwise been overlooked.
With information overload and a lot of hardships encountered by medical businesses in meeting HIPAA compliance, your patients will want to know how you handle their sensitive information, especially as more and more practices utilizes electronic health record systems. Have handouts or other materials available to assure them you have a system in place to proactively manage and handle their data. Your plan should also include procedures on how your staff discusses patient cases on and off site and the importance of keeping identifiable patient information secure. Offices that take time in coming up with a good system stand the best chance of building a truly adaptive HIPAA compliance plan.
Some government agencies and other groups can help advise a medical business on the best way to comply with HIPAA, where doctors who try to do this entirely on their own can overlook some major issues or take compliance entirely too far. Questions to ask might include:
- What are the basics my plan has to include? What elements aren’t mandatory but necessary?
- What security measures are required for technology resources?
- How often do I have to update my policy?
- What information is not restricted by HIPAA?
- Do I have to inform my patients on how I use or disclose their information?
Passive office structures often leave key people uninformed and uninstructed. Make sure that messages on HIPAA compliance and other critical administrative aspects get to all of the right people on a regular basis. If it is a policy or procedure, formalize this process with a signoff and acknowledgement that the individual has read, understood, and will comply.
Some medical offices fall into the trap of creating elaborate indoor areas with fountains, cubicles, or other sound reducing features. While this may be effective in some cases, in others, it may not be enough for true compliance and might also end up being quite expensive. Ensure that the basics are met including keeping all paper based patient and financial sensitive data face down or covered, computer screens go blank if unused after a certain timeframe, and computer programs are set to auto logout if idle after a specific amount of time has passed.
One of the big mistakes made by top management is to disregard HIPAA compliance issues until there is a breach, and then come down hard on employees. Instead, create the up-front plan to be more informative than threatening so that employees will feel safe in voicing concerns without fear of reprisal. You may want to include a section on how to report a potential or actual breach and the action steps that will follow.
HIPAA compliance plans that happen in back rooms are sometimes just filed away and never acted on. While this might be somewhat of a hedge in the case of HIPAA violation, it’s not really going to do much during any kind of substantial audit. Review and update your plan at least annually and take the time to retrain your staff on meeting compliance.
From regular e-mail to Facebook and Twitter, there are a lot of new ways that employees can unknowingly create HIPAA violations. Cover all of these social media platforms in your staff trainings and certainly address them in your HIPAA compliance plan. Cover specifics like never post information about actual patients unless you have written consent from the patient, never use patient names in electronic communications unless the platform meets HIPAA compliance, and never post photographs unless written authorization from the patient is on file.
While there is a lot to wrap your head around with achieving HIPAA compliance, ignoring this or taking a laid back approach can result in your reputation becoming irreparably tarnished. Even worse, you could lose not only your shirt but also the practice you’ve worked so hard to attain. Remain vigilant and designate someone in your business to take the lead in tackling, implementing and executing your policy and procedures.
More expert advice about Industries
Photo Credits: Lab Tour by Flickr: jurvetson; Check Man, Cross Man and Jump Man © ioannis kounadeas - Fotolia.com