If you run a business, chances are good that you will have personal health information (PHI) on your servers at some point. As such, the Health Insurance Portability and Accountability Act (HIPAA) is something that you want to be familiar with. However, for those unfamiliar with HIPAA compliance, it can be hard to know where to start.
This article will cover each aspect of health information privacy law and give practical advice on managing your organization’s compliance with them effectively. As HIPAA laws continue to change, it is important to have an up-to-date HIPAA checklist for your business. It provides a convenient way of quickly assessing HIPAA compliance, avoiding violations, and ensuring the safety of confidential data. A HIPAA Checklist helps keep information secure within an organization by providing employees and other authorized personnel with a list of procedures to follow to meet HIPAA regulations.
1. Thoroughly understanding HIPAA’s three rules
The first rule of HIPAA is to thoroughly understand the three categories of rules that comprise the HIPAA Privacy, Security, and Breach Notification Rules. This will help you avoid potential pitfalls when it comes to protecting patient data.
- The Privacy Rule protects medical records from unauthorized disclosure and access.
- The Security Rule establishes national standards for protecting electronically protected health information (ePHI).
- The Breach Notification Rule requires covered entities and business associates to notify affected individuals following discovery or notification of a breach that involves unsecured PHI over 500 individuals (or more than 500 in some cases).
2. Discovering which particular rules apply to your organization
On the surface, it may seem that HIPAA applies to all healthcare providers and health plans: but there is more than meets the eye. For example, a healthcare provider could be a doctor’s office or hospital, whereas a health plan is an insurance company.
You need to know which of these three categories you fall under in order to determine which rules apply to your organization. Some examples of each:
- Healthcare providers include hospitals, clinics, doctor’s offices, and other places that provide medical treatment or care.
- Health plans include any entity that provides or pays for health benefits and/or services on behalf of its members/subscribers/enrollees (such as an HMO). Health plans can be insured or self-funded by employers, including government programs like Medicare/Medicaid etc.
3. Determining what data requires some extra protection
While there are a lot of different types of data, it’s best to focus on the three main categories:
- Sensitive Data: Data that is considered sensitive includes things like medical records and credit card numbers. This type of information requires extra protection under HIPAA, so it’s important to understand what qualifies as sensitive and how you should handle this kind of information.
- Protected Health Information (PHI): PHI is any type of health information that can be used to identify an individual (e.g., name, address, phone number). Information shared in electronic format by or with a covered entity, or its business associates must be encrypted or password protected. When dealing with paper documents containing PHI, it’s recommended that you store them in a safe place where only authorized employees to have access.
- Highly Protected Health Information (HIPAA): Common examples include genetic characteristics and behavioral health information about an individual who is being treated for substance abuse problems such as alcoholism or drug addiction issues related to mental illness such as bipolar disorder
4. Performing a risk analysis
Once you’ve identified your risks, it’s time to determine how likely they are and how much impact they could have if they do occur. This can be done by assessing the potential impact of each risk, if it occurs, relative to all other risks faced by your company. If a risk has a low potential for harm if it does occur (e.g., someone accidentally emails your employee’s social security numbers), it may not be necessary to implement controls to reduce its likelihood of happening. However, suppose a particular risk (e.g., an employee accidentally deletes important patient data) could cause serious problems for patients or result in legal action against your practice. In that case, you should consider implementing controls that will mitigate or prevent this type of event from happening in the future.
5. Establishing accountability in your particular compliance plan
You will also want to establish accountability in your particular compliance plan. This means who is responsible for what and who is accountable for what. For example, the chief compliance officer may be responsible for monitoring compliance with HIPAA regulations, while the department heads in charge of various departments, such as medical records, billing, and customer service, are accountable for monitoring their own compliance with HIPAA regulations.
An updated compliance plan is the best way to protect yourself and your business from any type of legal or financial liability. Implementing this plan could also help you avoid any fines or penalties being imposed by the government.