Complying with HIPAA is impossible if you don't know where to start. These four business tips will help you get started AND help your business.
With so many rules and acronyms, maintaining a HIPAA-compliant medical office can be a daunting task. Here’s a high-level recap so you can keep your eye on patient care.
#1 - Your copiers, laser printers MUST be included in your overall compliance strategy.
That’s right - don’t forget your printers and copiers! Any network device that has a hard drive and touches patient information counts.
- Secure your fleet - both physically in a secure office space and digitally with one of the many user authentication methods available to you (proximity cards, login prompts, etc.)
- Enable data encryption on all of your office equipment that has a hard drive
- Make sure you service provider is keeping up to date with all new patches or firmware updates available for your fleet. Often, updates provide new or improved security features and patch known security holes.
- Set strong passwords for any and all logins that are at least eight characters long and contain lowercase and uppercase letters, numbers, and symbols.
- Establish an equipment use policy that documents can never be left on the copier
- Disable the USB ports so personal health information (PHI) cannot be downloaded
- Invest in hard drive destruction at the end of your lease or when your replace your equipment
#2 - Don’t rule out the Cloud.
Up until now most offices have shied away from using the cloud since the vendor controls where the data is stored. The cloud has come a long way, and it’s often a lot easier to work with a certified vendor with experience deploying HIPAA-compliant solutions. Just be sure you do your due diligence and ask questions of any vendor you are considering:
- How will they protect your patient data?
- Does their solution support encrypted data?
- Are they committed to complying with HIPAA regulations over the long haul (not just to get the initial sale)?
#3 - Don’t self destruct with sloppy electronic document management.
- By using the correct equipment and performing regular audits on electronic health records, you can prevent any potential HIPAA violations.
- Activate audit trails and automatic flags on your system when a restricted task is initiated.
- Schedule regular security audits to make sure employees are not in violation – workers viewing patient files with the same last name or address or staff accessing particularly sensitive health information (e.g., pregnancy of a minor or HIV status) should automatically trigger a review.
- Suspend accounts of employees who no longer work for you.
#4 - Perform a Security Risk Assessment
The Office of the National Coordinator for Health Information Technology is emphatic about protecting against the risks posed by office equipment. The agency created a series of security risk assessment tools, which are designed to walk medical practitioners through the compliance processes.
While many think that the actual physicians are responsible for keeping a practice HIPAA compliant, practice managers play a critical role in protecting patient information. Not only must they prevent inadvertent disclosures, but they must also oversee their security. Don’t let the potential for costly fines and even criminal penalties be ignored.
A great resource for HIPAA-related information is the Health and Human Services’ website: https://www.hhs.gov/hipaa/for-professionals/index.html