HIPAA is the Health Insurance Portability and Compliance Act and it is what sets the standards for protecting patient data. If you are unsure of whether you need to be in compliance with HIPAA, the short answer is that you are if you deal with protected health information. On a very high level, to be HIPAA compliant means that you must ensure that specific safety measures are in place in your company and also ensure that these are followed. Use these tips to get HIPAA Compliant. For more detailed information, please refer to this security checklist.
- Develop Privacy Policies. The first step is developing, adopting, and implementing the required privacy and security policies and procedures. You must ensure that you are documenting these policies and procedures. In addition to that, you must create a plan for if a breach occurs.
- Appoint Privacy and Security Officers. Having the policies and procedures in place is not enough. You must also appoint privacy and security officers to govern these policies and procedures in your business. The person or people you appoint should be well-versed in the HIPAA regulations and policies.
- Conduct Regular Risk Assessments. The best way to better protect your patients and ensure HIPAA compliance is to conduct risk assessments on a regular basis to identify any vulnerabilities. This process can help you to ensure that you are protecting health information. If you discover any vulnerabilities, it allows you to revise policies before there is a breach.
- Adopt Email Policies. While HIPAA regulations may not require you to encrypt email correspondence with sensitive health information, it would be in your company’s best interest to do so. If you are unable to encrypt emails, then be sure to make your patients aware of this and that it can pose a risk to their health information when sent through email.
- Adopt Mobile Device Policies. You should have strict mobile device policies that includes the protection of health information. This may mean that you require the removal of all health information that is stored on the devices or even remove the electronic devices from the premises.
- Train Employees On HIPAA Standards. If your employees are in contact with protected health information, it is your responsibility to ensure that they are trained on how to disclose the information and how to protect it. This is a crucial step to becoming HIPAA compliant. When training employees, be sure to document the training. You may also want to offer refresher training courses and train your employees on any new policies and procedures as they are developed.
- Provide All Patients With a Notice of Privacy Practices. This is a document that needs to not only be given to patients, but also displayed in your office and on your website. When you give them the Notice of Privacy Practices, be sure to obtain an acknowledgement of receipt from your patients. Update the notice when you update policies and be sure to include the provisions of the Omnibus Final Rule.
- Only Enter Into Valid Agreements. Because you deal with protected health data on a regular basis, you should only enter into valid agreements with all business associates and subcontractors to eliminate extra liability. This is an extra step to ensure your HIPAA compliance and protect of your patient’s health data.
- Adopt Potential Breach Protocols. Protecting the data and preparing for a potential breach are two different things. Even if you are doing everything to protect the data, you must also prepare for if a breach occurs. This step includes creating a protocol for investigating potential breaches. Many companies use the Risk of Hard Standard and the risk assessment test to determine if a breach has occurred. If you ever do find that a breach has occurred, you must document results and notify the proper authorities.
- Implement Privacy Policies. Your company must implement privacy and security policies. If they are ever violated by an employee, you should sanction the employee as proper protocol.