HIPAA laws can be complex and challenging, but they are also increasingly critical for healthcare practices to understand and be in compliance. As more of your practice becomes digital in one form or another—electronic health records (EHRs), remote patient monitoring, practice management systems, medical billing software—your risk of a breach increases.
Your Responsibility Under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) provides the standards for lawful use and disclosure of protected health information (PHI). That includes anything that can be used to identify a patient or a client in an organization that is subject to HIPAA laws, including names, addresses, Social Security numbers, medical records, financial information, and video or photographs where a person can be identified.
Under HIPAA rules you must:
- Conduct annual audits to assess gaps in security or compliance
- Create remediation plans if you identify any risks or gaps
- Develop policies and procedures for how to comply with HIPAA, keep them properly updated, and train staff annually
- Document all efforts related to HIPAA compliance, and produce them in the event of an audit
- Document all vendors that have access to PHI, and execute legally binding Business Associate Agreements (BAAs)
- Create a process by which patients will be notified if a breach occurs
The Most Common HIPAA Violations
There are several ways that practices can get in trouble for HIPAA violations, and each one comes with a potentially large financial penalty. Some of the most common include:
- Failing to perform regular organization-wide risk analysis to identify risks to confidentiality, integrity, and availability of protected health information (PHI)
- Failing to enter into HIPAA-compliant business associate agreements (BAAs) with external vendors and other entities
- Failing to properly safeguard PHI
- Delaying notification of a breach to the government
- Disclosing PHI in a way that is not allowable under the law
If you’re worried about data breaches that expose PHI, as long as your practice has taken the necessary steps to reduce the risk to an “acceptable and appropriate level,” a data breach does not automatically mean you will get hit with a fine. However, many HIPAA violations are discovered during the course of a data breach investigation, so it’s important to be proactive about protecting your data to avoid a breach if possible.
How to Stay in Compliance
For most providers and office managers in small and medium size practices, it’s not always practical or feasible to keep up with all the HIPAA requirements and intricacies of data transfer, storage, and collection to ensure that you are always in compliance. A better solution is to bring in an experienced external partner who can conduct a thorough HIPAA risk analysis. These analyses must be done on a regular basis (at least annually) to ensure that there are no obvious risks or vulnerabilities in your systems or processes. If one is discovered, they can help you report it if necessary, and take immediate steps to address it.