It’s a new year, and data security is more critical than ever. Experts predict that in 2018, HIPAA enforcers will focus on punishing data breaches. Are you ready? Our Ultimate HIPAA Compliance Checklist can help.
HIPAA: An Overview
The Health Information Portability and Accountability Act (HIPAA) became law in 1996. The Act has five parts:
- I: Health Care Portability
- II: Privacy and Fraud Prevention
- III: Medical Savings Accounts
- IV: Group Health Insurance Requirements
- V: Employer Tax Deductions
Our HIPAA Compliance Checklist will focus on Title II: ensuring patient privacy and data security.
HIPAA Compliance Checklist 2017
2016 saw a number of incidents in which health care professionals disclosed personal health information (PHI) on social media or in text messages. Sometimes the violations were accidental, and sometimes they were deliberate. As a result, 2017 saw new regulations about text messaging, and social media use concerning patient information. Here are the current regulations. In addition, here is the HIPAA Compliance Checklist 2017, as regards social media.
HIPAA Compliance Checklist 2018
Data security is primary. So with experts predicting more and tougher audits, how can you make sure you’re ready? It’s simple. Know the rules, and stick to them. Here’s our HIPAA Compliance Checklist for 2018.
Rule 1: Use a HIPAA-Compliant Electronic Health Record (EHR or EMR).
HIPAA makes insurers and providers responsible for protecting patient information. First, in 2009, HHS added strict new rules about breach notification. Then, in 2013, HHS widened responsibility to include contractors and subcontractors. As a result, many providers like the idea of using web-based or cloud-based EMR. Web and cloud-based EMR remove some of the burdens from the provider. However, more layers mean more room for mistakes. Therefore, it’s vital to make sure your EHR or EMR software is HIPAA compliant, and that it’s clear who will be responsible in the event of a breach.
Rule 2: HIPAA Covered Entities Must Have a National Provider Identifier (NPI)
The NPI, used for transmitting medical data, helps to prevent mistakes like mixing up information about two people or practices with the same name. Every individual provider (type 1 NPI) and organization (type 2 NPI) must have their own unique National Provider Identifier. Covered organizations include HMOs, health insurance companies, employer-sponsored health plans, and government programs that pay for health care.
You can double check your current provider information against the HHS NPI registry. To obtain a new NPI, visit the National Plan and Provider Enumeration System.
Rule 3: Protect Your Patients’ PHI (Private Health Information)
Two rules protect patients’ private health information: the HIPAA Privacy Rule and the HIPAA Security Rule. In this section, we’ll look at the Privacy Rule. Also, we’ll tell you the steps you need to take to make your organization compliant.
The Privacy Rule states how entities may use patients’ personally identifiable health information. Also, it states that patients have the right to know about and control these uses. The rule also specifies that entities must request and disclose only the minimum necessary amount of PHI to accomplish any given purpose (the “minimum disclosure principle”). In addition, entities must notify patients of their rights. Here are a few things you can do to make sure you’re complying with the Privacy Rule.
The Privacy Rule Checklist
First, know the Privacy Rule through and through. Understand everything that it requires.
Then, designate a Privacy Official. This is part of the law. The Privacy Official develops procedures to protect patients’ PHI. Also, they will take privacy-related requests and complaints.
You must also keep records of all PHI requests, transfers, and disclosures in your practice.
In addition, always follow the “minimum disclosure” principle.
Identify any business associates that may have access to patients’ PHI. These may include consultants, claims processing personnel, and more. Have a formal business associate contract with them, which extends HIPAA duties to their operations.
Create an NPP (Notice of Privacy Procedures). HIPAA requires that this be “user-friendly” and have information about individuals’ rights under HIPAA. It must also have information about your organization’s practices. The HHS has a number of model NPPs for you to look at.
Also, set up multiple levels of protection for PHI. These should include administrative procedures and technical and physical safeguards.
Carry out ongoing privacy training for your personnel.
Finally, have your privacy official keep records of everything that your organization has done to protect patient information. Update these records regularly.
Rule 4: Security First. Lock Down Your Electronic Medical Information.
The HIPAA Security Rule sets national standards for protecting patients’ private medical information. Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to data that your organization transfers, receives, or maintains electronically. Therefore, to make sure that your organization is complying with the Security rule, you will need to:
- First, do a risk assessment. Find any risks to electronically stored or transferred information.
- Next, evaluate the state of your security measures. Find any problems or holes.
- Then, implement administrative, technical, and physical safeguards to address the gaps
- Also, document your assessments, findings, and measures taken.
- Finally, repeat the process on a regular basis.
The HHS has a risk assessment tool that can help you to find and fix any flaws in your patient information security system. In addition, the HHS website has a series of papers to help your organization better understand the security rule and comply with it.
Rule 5: Risk Management. Know the Penalties for HIPAA Violations.
As we mentioned before, experts are predicting that HIPAA enforcers will focus on punishing data breaches in 2018. With fines up to $50,000 per violation per day, this is serious business. Some violations also carry criminal penalties and jail time. As a result, you must know the HIPAA enforcement rule and be prepared.
Rule 6: Damage Control. Know how to Handle PHI Breaches by the Book.
A PHI breach is a release of private patient information that violates the Privacy Rule. The HIPAA Breach Notification Rule requires healthcare organizations to notify individuals of a breach within 60 days. If the breach affects more than 500 individuals, the organization must also notify prominent media outlets in their state. In certain cases, the organization must also notify the HHS Secretary. The Breach Notification Rule is complex, so know it before you have to deal with it.
Finally, the laws protecting patients’ private health information are complicated. But they’re there for a reason. Your organization strives to provide the best service possible. And that includes safeguarding patients’ data privacy as well. Study the rules. Make sure all of your employees, subcontractors, and business associates know them as well. Have patient notification procedures. And set up procedural, technical, and physical safeguards that will make privacy and security routine. And document everything. Hopefully, our HIPAA Compliance Checklist will give you the information to get started on the road to best practices.
Featured Image Public Domain, by Airman Malcom Mayfield, via the United States Air Force