If you own a healthcare practice, you probably know that HIPAA compliance is mandatory. What you may not know is that the Federal Government has expanded the reach of HIPAA by enlisting State Attorney Generals and that an increasing number of practices are suffering from data breaches. A HIPAA violation not only forces them to pay sky-high fines but it creates such bad publicity that it can, in essence, cripple them.
If you’re like many healthcare practices, you finalized your HIPAA compliance procedures a few years ago when trying to get certified for Meaningful Use. Since then employees have come and gone, mobile devices have been added and removed, and passwords have changed… or worse, remained the same.
Do any of these scenarios sound like yours?
-You offered HIPAA training to your employees a couple of years ago but have not had the time to train your newest employee.
-You think your vendor is HIPAA compliant because their website says so… but you haven’t really checked.
-You can’t remember if you changed all the passwords after that last employee quit.
-The smart phones and tablets used in your practice are routinely taken off site.
-You created your HIPAA Compliance Policies a few years ago but operations and software have since changed.
If you can relate to any of these situations, you may have started to slip out of HIPAA compliance. Don’t panic, here’s a quick list of things to review and update to get back on track:
1. Provide Ongoing HIPAA Training
Most HIPAA violations are caused by uninformed employees and, unfortunately, the rules of the game keep changing. So do yourself a favor: make HIPAA training mandatory for all employees, including yourself. This doesn’t have to be expensive or time-consuming. There are many online courses available. Meanwhile, you can check your current knowledge with our handy HIPAA Quiz.
2. New: Check All Your Vendors
The latest Omnibus ruling states that you, as a covered entity, are responsible for ensuring that any vendor who accesses your ePHI (electronic Protected Health Information) is compliant. Make sure you have a current Business Associate Agreement with each of your vendors. If you don’t, then ask to see their written HIPAA compliance policies. You can email us to receive our Business Associate Agreement as well as our HIPAA Compliance Policies and Procedures. We’re proud to share them with you.
3. Create a Password Policy
One of the easiest and most overlooked ways to increase the security and privacy of your patient data is to make sure you have a policy for regularly creating, changing and protecting passwords. Changing passwords once a quarter is a good way to make sure old passwords don’t come back to haunt you. Another smart and easy fix is to install automatic logoff systems on all computers and mobile devices that automatically terminate an electronic session after 5 minutes of inactivity.
4. Inventory All Mobile Devices
While mobile devices allow for greater convenience, they also put healthcare providers at risk. Not only are you responsible for mobile-device security IN your office, but you may also be held liable if a mobile device is stolen (even your own!). Check ALL mobile devices used in your facility and instruct employees to avoid accessing ePHI from any personal devices that are taken home. This includes using personal cell phones to communicate with patients: remember, the mere fact that a patient is receiving treatment at your clinic is considered ePHI. So, if you need to send text messages to patients, use a HIPAA-compliant service, not a personal cell phone.
5. Review Your Policies and Procedures
During a HIPAA audit, the first thing you will be asked is to show an up-to-date copy of your HIPAA Compliance Policies and Procedures. If you don’t have one, you will be fined. If you’ve moved, changed EHRs or any procedures in your office, your document is probably out of date. Take a few minutes to review and update your information. You’ll rest assured that you are ready for any surprise audit.
The above suggestions are by no means a guide to becoming HIPAA compliant; they are just reminders to review areas of compliance that may have become out-of-date. If you need assistance becoming HIPAA compliant, be sure to work with a reliable HIPAA-compliance consultant. You’ll be protecting your patients’ data as well as your business.