Special thanks today for our guest post on HIPAA compliance by Alex Mitchell — cybersecurity enthusiast, WordPress guru, and data-safety tools tester with over 10 years experience.
Who Must Comply With HIPAA
If you’re not familiar with HIPAA it stands for Health Insurance Portability and Accountability Act. It was designed and put in place in order to protect American workers and their families with health care coverage and to put industry-wide guidelines in place to protect their confidential information.
Simply put, any organization that handles “protected health information” (PHI) has to be HIPAA compliant. And who are these organizations?
They include, but are not limited to, the following:
- Company health plans
- Health maintenance companies
- Any company or school that handles protected health information if they enroll students or employees in a health care plan
That sounds like it’s only big organizations that need to be concerned, doesn’t it? Don’t be fooled. Even if you are a one man/woman running your practice out of an addition to your home, you need to comply as well. That’s every chiropractor, dentist, physiotherapist. It doesn’t matter your designation. If you are a health care provider of any sort, you need to comply.
Does HIPAA Just Apply to Health Care Providers?
It should also be noted that companies that do nothing more than collect and handle information from the actual health care facility or entity must also comply with the Act. This would include companies such as billing services or community health management information services, even some software companies.
Also included would be health, disability, or life insurance companies—and any others—who obtain medical reports in order to access a policy application or claim.
Steps a Health Care Provider Can Take to Ensure Patient Privacy
I’m sure this seems like an incredible burden for anyone in health care or on the fringes of health care. But there are several steps that can be taken that will help you stay within the guidelines of the Act. If you follow these, you have a better chance of not being in violation.
1. Use a VPN
My first recommendation is to do some research on the best VPN services available. Once you’ve made your choice, start using it right away, and always use it!
I can almost hear you thinking, huh, what’s a VPN?
Don’t worry, it’s nothing too technical, and once you have it set up and you’re logged in, you won’t need to think about it again. It’s going to be silently working in the background, doing what it does to protect you and help keep you in compliance with HIPAA.
A VPN or Virtual Private Network is a service that protects your identity and the data you share online. Once you are logged into the network, the IP address assigned to you is obscured, and you, your office, and your information are anonymous. And any data that you collect and share—and here we’re particularly concerned about your patient’s health information—is encrypted. Depending on the service you chose, it might be encrypted multiple times between endpoints. That’s the virtual route between your computer and where ever websites, apps, and services you visit while online.
2. Have A Business Associate Agreement With Your Vendors
As mentioned earlier, companies that store or regularly access patient information also need to be HIPAA compliant. It doesn’t matter if they don’t provide healthcare services. If you use such a vendor (like a billing service, EMR, or video chat software) to help provide your services, the vendor is called a Business Associate. More importantly, it’s your responsibility to make sure your Business Associates are HIPAA compliant. You must do this by signing a Business Associate Agreement with them where they agree to follow the HIPAA rules.
3. Respect Your Patients Privacy While They’re in Your Office
Whether they’re in your lobby or your exam rooms, give patients the privacy they deserve.
- Don’t leave patient records, files or documents anywhere where they are unsecured.
- Always knock before entering a patient’s room.
- When you access any patient information on an electronic device—desktop or mobile—be sure that no one unauthorized is able to see it.
- Train your staff to follow these rules.
4. Post a Notice of your Privacy Practices
- Let your patients know you have rules in place by posting them in a public place for them to view.
- If your practice maintains a website have a page that clearly states your Notice of Privacy Policies
- Always have copies of your policy available for your patients.
5. Develop & Follow a Privacy Policies and Procedures Manual
- Develop a procedure manual with step-by-step guidelines for patient privacy and HIPAA compliance.
- Make sure this manual is accessible to all staff members and get signatures indicating that they have read and will abide by your policies and procedures.
- Annually review your policies in order to be sure they remain current, and in turn, review them with your staff.
- Continue to make any updates necessary.
6. Train Your Team
- Don’t just assume your team is keeping up to date with the HIPAA. Do annual training.
- Continue to obtain signatures from your staff indicating they are keeping up with their annual training.
- Be sure that any other businesses you associate with also keep up to date with their HIPAA training.
7. Do the Mandatory Annual HIPAA Risk Assessment.
- You have the choice of doing this risk assessment internally or hiring and HIPPA expert to come in and perform the assessment.
- Develop a plan of action and timeline for any areas where remediation and follow-up is necessary.
- Only use secure disposal techniques when disposing of anything that has patient health information included, regardless of the format.
If you’re diligent in following these guidelines, you can be sure that you and your office remain in compliance with HIPAA.
Photo courtesy to PLiXS