HIPAA compliance is not something that you want to mess around with. Infractions can cost businesses up to $250,000 in fines, depending on the severity of the violation. HIPAA stands for Health Insurance Portability and Accountability Act and its main purpose is to protect private patient health information. It is important for businesses and organizations to understand the fundamentals of HIPAA rules so they can remain compliant, especially when it comes to technology solutions.
Who must be HIPAA compliant?
HIPAA rules apply to two groups: covered entities and business associates. A covered entity is any healthcare provider or health plan. These are examples of covered entities:
- Health insurance companies
In addition, companies that deal with private health information on behalf of a covered entity must be HIPAA compliant. These are known as business associates. Some examples are:
- IT providers
- Billing and coding services
Tips for compliancy
One of the weakest links for most organizations in regards to HIPAA compliance is with their technology. It’s usually because they don’t have the budget for it or because they simply don’t understand it. Neither is a good excuse. In order to become and remain HIPAA compliant, covered entities and business associates should pay close attention to the following tips:
Analyze your risks. Before anything else, you need to take stock of how ePHI is being accessed, stored, and transmitted. You should bring in a professional who has experience in helping businesses become HIPAA compliant. At this time, you will be able to see where vulnerabilities lie.
Encrypt electronic protected health information (ePHI). Encryption allows private data to be unreadable even if a device is physically stolen. It is the first line of defense when it comes to protecting sensitive information. HIPAA laws require you to encrypt ePHI when it is stored and transmitted.
Store ePHI in a secure environment. The servers and workstations on which ePHI are stored should be physically and virtually protected from anyone that should not have access. That includes locks on doors and strong passwords on devices. If you store your health information in the cloud, make sure to choose a reputable, secure cloud provider.
Employ the right technology solutions. This means that you need to be using basic security measures such as a hardware firewall and antivirus protection. This is a minimum when it comes to securing the private data. Most ePHI records are not breached physically, but rather digitally as cybercriminals find entryways. Using the right technology will help to minimize the chance that a hacker can find his way in.
Limit who has the ability to access certain information. The lady at the front desk of your dental practice probably doesn’t need access to ALL data while the dentist doesn’t need access to a patient’s billing information. It’s best to only allow certain people to access certain records. This will ensure that information isn’t seen by prying eyes. It also makes it harder for cybercriminals to find their way in by using someone’s login credentials. Access to data should only be granted when it is job critical and when they have been properly trained in HIPAA compliance.
Keep all hardware and software updated and patched. Updates in technology usually patch known vulnerabilities in hardware and software. Sometimes these vulnerabilities are being actively exploited by cybercriminals. That’s why it is important to keep technology regularly updated by installing software updates and replacing hardware when it becomes outdated.
Keep staff well-trained and informed about proper use, storage, and transmission of ePHI. One of the most common causes of data breaches and HIPAA violations is employee mistakes and it’s usually because they don’t know any better. Healthcare organizations need to perform regular training sessions with employees so they are kept abreast of the latest technologies and how they relate to HIPAA compliance.
Hire an IT company that is HIPAA compliant. An experienced IT company will be able to assist you greatly in becoming and staying HIPAA compliant. In addition, that IT company should be compliant themselves since they count as a business associate. An IT company will be able to keep software and hardware updated, monitor the network 24/7, and make technology solution recommendations. Your best bet is to get on a managed service agreement with a reputable IT company. Instead of waiting until something breaks to fix it, your technology is continually managed.
Keep proper backups of data. Make sure that ePHI is continually backed up and that there is a plan to access backed up data in case of data loss. You should establish procedures that will allow critical business functions to continue in the event of an emergency.
Perform regular evaluations. Once you are HIPAA compliant, you need to stay that way. You should review your business practices regularly and compare them with current laws and technologies.