Are you involved in an industry that handles protected health information? Is your facility compliant with HIPAA?
Do you know if the businesses that you work with follow HIPAA rules?
Do you want HIPAA explained in simple terms? Continue reading this article to learn more about HIPAA. You will also find a guide for ensuring your facility is HIPPA compliant.
The Intent of HIPAA Explained
The Health Insurance Portability and Accountability Act (HIPAA) went into effect in 1996. HIPAA’s purpose was to ensure that patients can keep health insurance when changing jobs. The act includes:
∙ A guarantee for health insurance coverage during employment
∙ Provides health insurance coverage between jobs
∙ Provides paid and guaranteed leave
∙ Established the Family Medical Leave Act (FMLA)
Also, HIPAA protects the access to and distribution of protected health information (PHI). The U.S. Department of Health and Human Services (HHS) established the Privacy Rule in 2003. This rule includes national standards aimed at protecting specific health information.
This Rule and Act regulate the use and disclosure of PHI. The term, “covered entities”, means all organizations that fall under the Privacy Rule. Covered entities must establish policies to protect PHI and control PHI use.
The Office of Civil Rights implements and enforces the Privacy Rule. They check for compliance and may impose civil monetary penalties.
Understanding HIPAA in the Daily Setting
PHI includes every detail that can identify an individual. This may include:
∙ First name and/or last name
∙ Social security number
∙ A person’s past, present, or future physical and mental medical condition
∙ Patient care details including appointment times, provider’s names, tests, and diagnoses
∙ Past, present, and future payments of healthcare including paid and unpaid bills
Without staff diligence, this information can be accidentally communicated. Many cases of non-compliant transmission of information have occurred via:
∙ Overheard conversations
∙ Unshredded documents placed in the trash
∙ Gossip between healthcare and/or non-healthcare providers
∙ Documents accidentally sent to the wrong party
These examples underscore the diligence required to protect PHI. One common healthcare mantra is “only share information on a need-to-know basis”.
Who Must Follow HIPAA Regulations?
HIPAA regulations apply to all professionals with access to patient information. This includes healthcare professionals, insurance companies, and employees in healthcare facilities. Third-party insurance entities that access PHI must be HIPAA compliant.
These organizations bear the responsibility of educating all employees about HIPAA regulations. Company workers and sub-contractors must understand all policies addressing HIPAA compliant communication. The organization is held accountable for ensuring compliance.
A HIPAA compliant phone service offers secure communication including HIPAA compliant texting. This app also includes secure voicemail services.
Consider having a second line dedicated to the communication of patient data. This provides increased protection for your patients and your company.
Steps to Take to Ensure HIPAA Compliance
Establish a regular schedule for review and revision of HIPAA policies. As technology continues to change, new issues related to compliance arise. The following are steps to ensure ongoing HIPAA compliance.
Select a person or team to review HIPAA policies from the perspective of an outsider. You may even wish to hire a company to perform the audit. This identifies areas that need review and improvement.
Focus this assessment on 3 specific areas:
Are all electronic communication devices protected against unauthorized access and data breaches? Using HIPAA-compliant software increases your protection. Regular software updates and security scans help improve your defense shields.
Review all measures for guarding against physical theft or loss of equipment that contains PHI. Enforce the use of unique logins, PINs, and passwords on all computers and mobile devices. Establish policies that prevent the sharing of these access credentials.
Place all hardcopy and digital devices that contain PHI in restricted areas. These areas should only allow access by personnel who work in that area. Put screen guards and short-timed logouts on computers located in public areas.
Conduct thorough reviews to determine if PHI is only accessible to authorized personnel. It’s helpful to choose a HIPAA Security and Privacy Officer. This individual routinely reviews activity logs, user access, and more.
You’ll feel confident in your HIPAA compliance when you’ve optimized these safeguards.
Search for Document Compliance Risks
After conducting the above audit, create a list of all deficiencies found. Next, gather the appropriate personnel to work on resolving these risk areas. Document each measure that you take.
Once new solutions are in place, educate the staff impacted by the changes. Conduct follow-up monitoring to ensure that the new policies are strictly followed.
Develop Remediation Plans
Some identified deficiencies require further remediation to ensure compliance with new processes. Follow the same outline for implementation as you did for the audit.
If you found problems with some of your vendor’s compliance, you may need to make changes. These changes may involve using a different or updated software solution. It may also mean changing vendors to ensure your agency’s compliance.
During the assessment, you may find physical factors contribute to risks. You may need to redesign workstations to create more secure environments. The audit may show that you need to add more access restrictions.
Defining a HIPAA Security officer can strengthen compliance. Empower this individual to focus on ensuring compliance and taking corrective actions. This individual can also be the gatekeeper for granting access to PHI.
Make Sure All Third-Party Partners are HIPAA Compliant
It’s your responsibility to ensure that you only work with HIPAA-compliant businesses. Ask for a copy of their policies and procedures. Make this part of your routine HIPPA compliance review.
The Final HIPAA Omnibus Ruling defines a business associate as:
∙ Health information organizations
∙ E-prescribing gateways
∙ Any entity the conducts PHI data transmission services
∙ Any entity that must have access to PHI on a routine basis
This can include your software vendors, specialty supply companies, insurance companies, and others. Be sure that you document your due diligence in vetting third-party associates.
HIPAA: Now You Know
HIPAA is an important part of the medical community and falls back to the procedures and other aspects of patient care.
That’s HIPAA explained, but if you’re looking for other related topics, keep searching on our website. We offer many articles on topics like this one.
You’ll find information about creating a curriculum vitae and writing a business brochure.
We have articles about the latest apps. The list goes on! Bookmark our site today so that you can return and read new articles.
Healthcare Business Today is a leading online publication that covers the business of healthcare. Our stories are written from those who are entrenched in this field and helping to shape the future of this industry. Healthcare Business Today offers readers access to fresh developments in health, medicine, science, and technology as well as the latest in patient news, with an emphasis on how these developments affect our lives.