HIPAA Compliance in Your Medical Practice
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed with a dual goal:
- Make health care delivery more efficient
- Increase the number of Americans with health insurance coverage
The complex law continued to be amended and evolve towards including privacy, security, enforcement and breach notification rules. It wasn’t until April 2003 that the security rule of HIPAA was enacted. HIPAA does not distinguish between large and small practices even though regulators do. Solo practitioners and large rehab hospitals, and all healthcare organizations in between, are required to follow the same laws. Most health practitioners have implemented privacy rules knowing that all staff and patient information must be protected. They have good intentions to safeguard protected health information (PHI).
HIPAA requires much more than just good intentions, though. Here’s a checklist of some commonly-overlooked HIPAA requirements to help you quickly evaluate whether your medical practice may be non-compliant:
- Do you protect patient privacy everywhere in your facility? This includes both written and verbal information. For instance, by discussing a patient’s case in the elevator or hallway, you may not be complying with basic privacy rules of protecting a patient’s identity. Have you ever left patient documents unattended or unsecured? Do you leave the exam room computer screen unlocked when you leave the room? Is patient information visible to other patients or unauthorized employees? It’s vital that you intentionally protect private information at all times.
- Do you have written privacy policies? Every covered entity and business associate is eligible for an audit, whether random or planned, and they will begin by reviewing the policies and procedures. HIPAA requires that all covered entities maintain written privacy policies and procedures addressing HIPAA’s three main components: privacy, security, and breach notification.
- Do you have HIPAA Business Associate (BA) agreements with anyone who handles your patient information? While it may seem obvious that other health organizations and records keeping services should also follow privacy rules, have you considered all of those who could have access to your records? For instance, contracted healthcare professionals, outside practices, your tech support contractor, and anyone else who has access to patient information. Janitorial staff, building management, and others who do not need to access patient information should be restricted from accessing it and do not require a BA agreement.
- People are often the weakest link in the security chain. Do you train all of your employees in HIPAA requirements? Include physicians, nurses, medical and office staff in an annual training session. Executives and owners are not exempt, either, and they are routinely targeted by cybercriminals. Keep a record of your training sessions, including those who attended, as evidence of your compliance with HIPAA regulations.
- Have you completed your mandatory HIPAA risk assessment? HIPAA requires all covered entities and BAs to conduct a regular security risk assessment to identify vulnerabilities and risks in their practices. It needs to review in detail your technical, physical and administrative safeguards.
- Are you shredding all generated information to HIPAA standards prior to disposal? HIPAA-compliant shredding requires documents and hard drives to be shredded so that they are not readable and cannot be reconstructed. If even one document or electronic device with PHI is not properly destroyed, your practice is not compliant. The best solution is to use a professional shredding company with industrial shredders that rapidly destroy paper and hard drives in compliance with HIPAA.
Apex Shredding provides HIPAA-compliant shredding for your medical practice. We are NAID AAA Certified and can also help you with compliance training services. For more information about HIPAA compliance in your medical practice, give us a call at 907-532-5007 or complete the form on this page.