The Health Insurance Portability and Accountability Act (HIPAA) was designed to set standards on handling medical records in order to protect patient privacy. Compliance with HIPAA regulations is mandatory not just for healthcare, but any organization dealing with electronic patient data, known as Protected Health Information (PHI), including insurance companies, IT services, and other partners working with these industries.
What does HIPAA mean for your business?
Compliance is federal law. The Office of Civil Rights (OCR) operating under the auspices of the Department of Health and Human Services (HHS) may audit health-related businesses at any time. Failure to satisfy requirements can result in fines of up $1.5 million annually for non-compliance. Start by creating a HIPAA checklist to ensure all guidelines are followed.
The core components of HIPAA
There are about 50 specific stipulations. All business partners are subject to these requirements. Core compliance with HIPAA can be summed up in three areas:
1. Physical - Companies must ensure that facilities and servers are physically protected by locking doors, access badges, and surveillance cameras.
2. Technical - Control of digital access must be maintained. All logins must use multiple means of authentication, such as PINs and passwords. All patient data must be encrypted, including data in transit and on external drives, laptops, or mobile devices. Detailed backup and recovery plans should be in place.
3. Administrative - Documentation and training is important. These documents should involve:
- Business Associate Agreements - HIPAA compliance extends to 3rd-party firms such as IT contractors and document storage services, and requires descriptions of what data they have access to and procedures for disclosure.
- All service employees should be informed of necessary data security measures.
- Creating and documenting a process for data audits, and procedures when data is stored, changed, or destroyed.
- Implementing a plan to guard against data leaks.
- Reviewing changes to procedures and policies at least once per year.
Recommended but non-mandatory compliance includes a risk assessment and analysis following guidelines established by the National Institute of Standards and Technology.
There is no official certification for HIPAA compliance, but service companies should maintain certifications such as SOX or PCI DSS to demonstrate familiarity with security measures and compliance.
HIPAA requires that a company representative be appointed "Security Officer", and this officer or others are charged with maintaining documentation. Attaching a diagram of involved data flows to your HIPAA checklist will help maintain documentation and understanding of the processes.
Service level agreements (SLAs) help in assuring clients that your business observes HIPAA requirements, and should spell out responsibilities in detail.
Making systems HIPAA compliant also means meeting obligations such as accountability for data disclosures, maintain PHI record sets, and cooperation with the OCR.
Also document all reviews and audits to better prepare for them in the future.
Make sure your business partners and employees understand the importance of HIPAA obligations and procedures as the first step toward staying HIPAA compliant and clear of trouble with auditors.
While this brief checklist should help, when in doubt, consult an expert. CTG Tech is a healthcare managed IT services provider that has the experience and familiarity with HIPAA regulations to ensure that your PHI is protected and procedures are in compliance. Call today to examine the best methods for ensuring that your sensitive data is safe.