With the number of demands healthcare providers face today – from patient care to administrative requirements, keeping personal health information safe can be a daunting task. Ensuring compliance under federal regulations is not optional and non-compliance can be costly enough to put you out of business. In fact, according to the American Medical Association one HIPAA violation alone can cost up to $1.5 million annually.
It’s also not just healthcare providers that need to be diligent—any business associate that maintains data on behalf of a provider could be potentially liable for violations. To help better understand what you might be liable for and when, here are five steps you can take to safeguard against the unintentional distribution of sensitive patient information.
1. Ensure HIPAA compliance. With all of the HIPAA changes over the past few years it can be difficult for many program leaders to understand the latest regulations and ensure they are in compliance. Making sure you are aware of all HIPAA updates is an absolute first and non-negotiable step—as non-compliance can bring about potential legal action and fines, along with other undesirable and significant side effects.
In today’s ever-growing technological environment it is not just healthcare providers that need to ensure compliance, the Omnibus Final Rule now makes both subcontractors of business associates directly liable for compliance with certain parts of the Security Rule and HIPAA Privacy requirements. Additionally, as of late 2013, all providers that maintain protected health information on behalf of covered entities are subject to HIPAA and Health Information Technology for Economic and Clinical Health (HITECH). Per HIPAA, those providers are considered “business associates,” whether or not they actually view the information they hold.
With these new rules putting liability on the provider for breached protected health information, it is important to communicate with all staff and business associates to ensure they not only understand, but adhere to HIPAA regulations.
2. Conduct risk assessments. Completing up-to-date risk assessments is another important step in keeping patient information safe and maintaining compliance. By doing these frequently, you can become aware of information and potential threats that may be contributing to your organization’s current risk profile. Additionally, you will gain a clearer picture of the specific elements that increase your susceptibility to a data breach.
Upon completing an assessment, you may find that a small change, like reconfiguring your office space so the public can’t view a computer monitor with potentially sensitive information, may solve potential problems. In your risk assessment, be sure to include any equipment and devices beyond your facility’s network that store or transmit data, such as X-ray machines.
3. Keep Meaningful Use and EHR Requirements top-of-mind. By definition, Meaningful Use is using certified electronic health record (EHR) technology to improve quality, safety, efficiency and reduce health disparities. When the Medicare EHR Incentive Program first began in 2011, eligible healthcare providers were offered financial incentives for adopting, implementing, upgrading, or demonstrating Meaningful Use of EHR. Conversely, beginning in 2015, there will be penalties for healthcare providers who fail to demonstrate Meaningful Use. Much like HIPAA, organizations need to ensure they are in-line with Meaningful Use to ensure they are not subject to penalties.
4. Customize your policies. There is no one-size-fits-all approach to creating a compliance plan for your organization. Everything from the staffing structure you have in place to your method of data storage can vary from organization to organization. By tailoring your policies to align with your IT environment’s needs, you can ensure that your resources are being used effectively. At the same time, creating a structure where compliance mandates are continuously met will ensure maximum security.
5. Develop a community of awareness. Whether they think so or not, every staff member plays a vital role in maintaining the security of important patient health information. Hacking isn’t the only way that information can be exposed; it can also be compromised due to human error. To prevent such a mistake, HIPAA guidelines have established recurring security training for personnel that handle protected health information. It is imperative that all employees be aware of access and handling policies for sensitive information. Arming your organization and staff with the best physical and procedural practices to maintain privacy guidelines provide an extra barrier in safeguarding against a potential violation.
Maintaining and achieving compliance is a chief concern in the healthcare industry. Developing a plan to do so, and staying current with updates to the associated regulations, is necessary for all organizations and can help set you and your organization up for success.