Does your business operate in the Healthcare Industry? Are you unsure if you meet HIPAA compliance checklist requirements, or even if HIPAA applies to you?
For many businesses that operate in the health and wellness space, HIPAA compliance isn’t just a part of everyday life.
It is a requirement for remaining in good legal and ethical standing.
Businesses in the medical arena that eschew HIPAA requirements are not long for this world as the federal government has laid plain: ignoring complete HIPAA compliance is not acceptable and will be met with severely punitive measures.
Today, we will cover what HIPAA is, who must adhere to HIPAA, HIPAA requirements, as well as cover a full HIPAA Compliance checklist, making it easier to stay compliant in 2020 and beyond.
What is HIPAA?
The Health Insurance Portability and Accountability Act guarantees patients security and protection for their personal health information, also known as “PHI.”
Furthermore, patients preserve the right to choose who has access to their medical records and information. By default, HIPAA creates protections and security around certain health information for every patient in the healthcare system.
Before HIPAA, there were very few protections afforded to the privacy and security of individuals’ health information.
Complicating matters was that HIPAA became law during the most technologically transformational period the nation has ever experienced.
As the internet matured and patient charts gave way to electronic medical records in offices across the country, new regulations around personal privacy were essential to helping the digitization of medicine succeed.
HIPAA was created with the movement of employees between one employer and another in mind.
It’s right there in the name: portability.
That is to say that the need of employees to safely and securely move their health information from one healthcare or insurance provider to another was, and remains, the primary stated goal of HIPAA.”
However, to meet this aim, the requirements for HIPAA compliance provide significant protection of private health information even when an individual is not changing jobs, health care provider, or health insurance provider.
And while HIPAA became law in 1996, it was not until ten years later in 2006 that the Enforcement Rule went into effect. The Enforcement Rule finally granted the Department of Health and Human Services the power to investigate HIPAA complaints and issue fines.
Generally speaking, HIPAA states that healthcare providers and those with access to PHI:
- Ensure confidentiality
- Identify and protect against reasonably anticipated threats
- Protect against reasonably anticipated impermissible use or disclosure
- Ensure compliance by their workforce
Who Must Adhere to HIPAA?
Physicians and their staff are not the only ones that must adhere to HIPAA privacy protections. Health insurance providers and health care clearinghouses that process nonstandard health information into standard formats must also adhere to HIPAA Compliance.
By and large, any organization that accesses, collects, or processes personal information, including health information and personally identifiable information, must protect that data as a provision of HIPAA.
Largely excluded from HIPAA compliance requirements are industries and organizations like life insurance providers, workers compensation carriers, and law enforcement agencies.
If you are unsure whether or not your organization is subject to HIPAA compliance, the Department of Health and Human Services provides comprehensive detail around who is, and who isn’t, covered.
HIPAA Responsibilities with Digital Records
For the better part of 20 years, medical practices and health practitioners have increasingly adopted digital tools to keep their businesses running.
From electronic medical records to data storage tools, the adoption of digitalization in the medical field has brought with it a new lens through which to view HIPAA guidelines and compliance.
Whereas patient privacy is a shared interest for healthcare providers, the increased quantity of threat vectors for digital records create great complications not just in securing information, but also in ensuring staff members are trained to protect that information at all times.
Storing data requires various levels of encryption, proper firewalling and network protection, and threat detection alerting that notifies of a data breach.
Additionally, part of HIPAA is staff compliance. That means that for all of the technology in place to protect patient data, of equal importance is the way that team members treat the data and systems to ensure privacy is maintained.
Examples of HIPAA Violations
Simply keeping physical patient records under lock and key is no longer enough. Keep a lookout for situations that can be viewed as a HIPAA violation, such as:
- Leaving a desktop workstation with access to an EMR system unlocked while going to the break room for a cup of coffee
- Allowing guests to access the same Wi-Fi network that is also connected to a digital archive of patient records
Situations like these are easily avoided when staff adhere to protocols, keeping patient data isolated and secure at all times.
The Official 7-Step HIPAA Compliance Checklist
Thankfully, ensuring that your organization remains HIPAA compliant is a straightforward matter.
Straightforward doesn’t necessarily mean easy, but at least areas of confusion or complication have greatly been mitigated.
The Office of the Inspector General for the Department of Health and Human Services has released a guide entitled “The Seven Fundamental Elements of an Effective Compliance Program.”
These fundamentals can, and should, serve as a HIPAA compliance checklist for making your organization compliant.
1. Implementing Written Policies, Procedures, and Standards of Conduct
For starters, HIPAA compliance must be outlined and documented. From allowable employee behaviors, to what to do in the event of a data breach, HIPAA requires documentation around practices or business activities that fall under the purview of the law.
2. Designating a Compliance Officer and Compliance Committee
It is critical that individuals within a HIPAA compliant organization be named and held responsible for HIPAA compliance.
3. Conducting Effective Training and Education
HIPAA compliance requires that team members protect PHI. To do so in a way that meets the HIPAA standard, it is crucial that HIPAA compliance training be provided to staff. Ignorance is not a valid defense in the event of a HIPAA violation.
4. Developing Effective Lines of Communication
Health practitioners and their teams must have clear channels of communication not just for training and in the event of a data breach, but also as part of the day to day operation of handling private information. From the handling of medical records to the discussion of patient care, communication is critical across all levels and in all departments.
5. Conducting Internal Monitoring and Auditing
As with many policies and procedures, regular verification and reporting are essential to maintaining HIPAA compliance. As part of HIPAA is protecting against reasonably anticipated threats to private health information, it is crucial that HIPAA-compliant businesses test their environment regularly for potential weak spots or areas of vulnerability.
6. Enforcing Standards Through Well-Publicized Disciplinary Guidelines
Team members across the organization must understand the possible legal ramifications of HIPAA violations not just to the business, but to the individual as well. The seriousness of HIPAA is hard to overstate, and it is incumbent upon business owners and operators to ensure staff members know what is at stake.
7. Responding Promptly to Detected Offenses and Undertaking Corrective Action
Protecting PHI is certainly the goal of every HIPAA organization. However, it would be silly to behave as if mishandling or unauthorized access to private data never happens. In the event of an intrusion or error, HIPAA regulations mandate that immediate corrective action be taken.
Understanding How Infrastructure Plays a Role in HIPAA Compliance
Unauthorized access to workstations, accidental viewing of the wrong patient record, or leaving the Wi-Fi network unlocked during routine maintenance are all examples of potential violations. However, not all potential areas of vulnerability are so easily identified. When it comes to your technology infrastructure, every component in the stack must meet HIPAA standards if your organization is to be truly compliant.
That means that your servers must be HIPAA Compliant, including where you store data and the applications you use to access and modify it.”
Network switches and routers must be properly secured to the standards dictated by HIPAA. Many hosting providers provide a level of security to their infrastructure as a benefit to your purchase. But very few hosting providers actually provide security and protection that can survive the scrutiny of a complete HIPAA compliance checklist review.
For example, does your hosting provider have a defined policy on communicating data breaches to you? Does that policy actually meet HIPAA standards?
The Right HIPAA Compliance Solution for Your Organization
Whether you’re in the midst of a digital transformation or are just starting to investigate digitizing your medical organization, having the right partner at your side is critical.
Not only is it important that your IT service and infrastructure providers understand the importance of HIPAA in your business, it is also critical that their own policies, procedures, and guidelines align with the HIPAA requirements to which your business is bound.
Our team at Liquid Web possesses both the expertise and the experience necessary to keep your HIPAA compliant business on track and out of regulatory trouble. From small, single doctor clinics to large hospital networks operating across many states, our expertise at the cross-section of infrastructure and HIPAA compliance is unmatched in the industry.
If you’d like to learn more about how the Most Helpful Humans in Hosting™ can help deliver your HIPAA-compliant infrastructure both now and as your business grows, contact us here. We would welcome the opportunity to discuss not just how to get compliant but also how to ensure ongoing compliance so you can focus on patient care and other business priorities.