The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated industry-wide standards for health care information on electronic billing and claims, while also protecting against health care fraud and abuse. It also addresses the protection and handling of health information of every patient.
The point of HIPAA compliance is for every medical practice to implement an active, ongoing process to prevent any HIPAA-related data breach. It must include the appropriate technology and training of all staff members regarding the handling of confidential information.
HIPAA compliance includes both physical and technological safeguards to protect patient data from unauthorized access. This means securing both the electronic copies and hardcopy (printed) records from being carelessly handled at any point. Even your janitorial staff shouldn’t be able to mistakenly access these records.
Technology and related policies must be in place to protect confidential data against unauthorized access. In a medical practice, there exists a balance between potential vulnerabilities of electronic protected health information (ePHI) and the cost of protecting this information. The size, complexity, and capabilities of the practice must all be considered.
If there is a breach of someone’s information, HIPAA rules state that the affected individual(s) must be made aware of the breach immediately. If the breach affects 500 or more persons, the Secretary of HHS and the media in the jurisdiction in which the affected individuals live must also be notified.
These are in-house processes that are designed to protect data from internal mishandling. These processes include:
- Methods of documenting patients’ records
- Employees’ respective roles and responsibilities
- Requirements for training individuals to be HIPAA compliant
- Policies for the maintenance of data
These protocols are meant to ensure that the office policies and procedures adhere to the HIPAA-established standards.
This applies to the actual physical accessibility of health records and patient information. Some important security questions that must be answered include:
- Is there a security system for the office?
- Does the security system have video surveillance?
- Is the surveilled video recorded and stored at a separate location?
- Are the windows and doors of the medical practice properly reinforced with locks?
- If there is a server kept on site, is it kept in a locked and secured room?
If there is an on-site server, the surveillance system should record:
- Who enters the server room
- Who accesses the server
- The time and date on which they access it
- How long they were logged into the server
- Every query or download someone makes
The HIPAA codes also address mobile devices like smartphones, tablets, and laptops, and the hazards of removing any of these devices if they have patient information. Use encryption software – that way, if theft occurs, the information will remain protected.
Who Can Help Me Avoid HIPAA Violations?
The best way to protect against HIPAA violations is by getting a HIPAA security audit done by an external auditing agency. Our team at ProMD Practice Management can come in and do a full security audit of your medical practice.
Our team can identify areas of weakness and suggest changes that will help keep your practice completely in line with HIPAA regulations and protocols.
Contact us today by calling (844) 236-5488 or request a consultation online. Find out the many ways in which we can help keep your practice in full HIPAA compliance.