The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to protect patients’ data in healthcare settings. It covers not just hospitals and clinics, but any organization responsible for handling Protected Health Information (PHI). That includes HMOs, health insurance companies, health plans, and government programs like Medicare and Medicaid in addition to all healthcare service providers.
Today’s data landscape looks very different than it did in 1996 when HIPAA was first passed. Technology has progressed at an astounding speed, and that has created both opportunities and obstacles. Read on to find out how best to ensure HIPAA compliance in 2020 for an up-to-date look at what’s required.
Ensure Safe Data Transmission
When HIPAA was first developed, most healthcare providers were still using technologies that would be considered antiquated by today’s standards. Today’s providers should focus on finding modern technological solutions designed with HIPAA compliance in mind. Using cloud fax for healthcare instead of fax machines is one great way to minimize the risk of data theft during transmission, to give just one example.
Try not to send PHI by email. This solution should be limited only to situations where there is no other way to send data that contain protected information. When there is no other way to send data, make sure to follow encryption protocols, and use secured servers.
Secure Physical Paperwork
It’s equally important to secure all paperwork that contains PHI within the facility. Keep documents in a folder instead of leaving them out and place them in a locked drawer or filing cabinet when not in use cover patient charts so their names are not visible, and make sure never to leave documents containing PHI unattended.
Restrict Employee Access
Only those employees who need to access PHI to fulfill their duties should have access to protected information. Organizations should assign role-based security clearances to minimize the chances of employees accidentally or intentionally accessing patient information that doesn’t pertain to their duties. Assign passwords only to those staff members who are cleared to access PHI and implement user-specific passwords or access protocols to secure logins.
Develop Facility-Specific Privacy Policies
All healthcare organizations must develop and implement privacy and security policies for protecting PHI. These policies should be carefully documented. They should include the appointment of privacy and security officers conversant in all HIPAA regulations and information about what steps will be taken in the event of a data breach. All patients should also be provided with a notice of privacy practices and should be required to provide an acknowledgment of receipt. It’s also up to healthcare facilities to keep patients informed about updates to their privacy practices.
Provide Employee Training
Even the most robust privacy and security policies won’t do any good if employees don’t know how to follow them. That’s why it’s essential for facility managers to offer ongoing training in HIPAA-compliant practices. Ensure that all new hires receive training on the company’s policies and procedures and provide periodic refresher courses for current employees.
Make sure that all employees are instructed to avoid discussing protected information in public spaces. Healthcare providers discussing a patient within hearing distance of others should never use the patient’s full name and should be cautious about disclosing any personal information. They should never share sensitive PHI with co-workers who lack clearance or personal acquaintances outside of work.
Conduct Regular Risk Assessments
The privacy and security officers should be tasked with performing routine risk assessments to identify potential vulnerabilities. This helps healthcare organizations ensure the integrity of their PHI by resolving any identified risks or revising policies to accommodate them as necessary before they lead to serious data breaches.
Back Up Data on Secure Servers
Healthcare facilities need to back up important data to protect themselves and, by extension, their patients, against data losses. They should only use secured servers for data backup. That could mean storing data in on-site data centers or using HIPAA-compliant cloud-based services. It’s also important to keep paper copies of essential documents safely and securely on-site.
Dispose of Information Properly
When disposing of paperwork that contains PHI, make sure to do it properly. That means shredding paper files instead of just throwing them in the trash. Assign this duty to someone with a high level of clearance and the integrity to ensure that the job will be performed as required.
Keep Computers Up-to-Date
It’s not uncommon for healthcare organizations to fixate on security while data is in transit, but forget about on-site data security. While it is important to ensure that all vendors or other business associates are well-versed in HIPAA’s rigorous standards, it’s equally essential to keep the organization’s computers protected. Make sure all computers that can be used to access PHI have up-to-date anti-virus and malware scanning software installed and consult with IT experts regarding more advanced privacy practices.
Develop Protocols for Security Breaches
Every healthcare facility should invest in infrastructure and policies that help to prevent data breaches, but even the most robust security systems may still be susceptible to cyber-attacks. That’s why every facility should also have protocols in place for dealing with security breaches, which should include identifying and documenting the breach, then alerting the appropriate authorities.
Healthcare facilities should also have protocols in place for dealing with employees who do not follow the organization’s privacy and security policies. Even if employees do not have malicious intent, failure to follow policies designed to ensure HIPAA compliance can lead to devastating consequences. Let employees know that failure to adhere to company policies will incur strict penalties and follow up on that threat if anyone ignores it.
The Bottom Line
Healthcare providers have a duty to their patients to offer a high standard of care. They also have a duty to protect their PHI. Failure to take adequate steps to protect PHI as outlined by HIPAA can result in civil and criminal penalties. Fines for non-compliance vary based on the level of negligence and can be as high as $50,000 per record or violation. Some violations even carry criminal charges that could result in jail time. It’s worth taking the time to ensure that the facility’s privacy and security protocols are up-to-date.