Are your employees trained on the nuances of HIPAA and patient privacy? Some doctors and other covered entities assume the burden of compliance is their responsibility, so they avoid training their employees. However, the Department of Health and Human Services (HHS) requires all workers to be trained on HIPAA.
The HIPAA Security Rule requires covered entities to implement technical safeguards to prevent unauthorized access of Electronic Protected Health Information (EPHI). Among these safeguards is something called “access controls,” which, among other things, consists of unique user IDs that allow workers to log into their respective systems.
Other access controls include emergency access procedures, automatic logoff, and data encryption.
One of the most common reasons why covered entities are cited for HIPAA violations is failure to properly dispose of Protected Health Information (PHI). Simply tossing paper files into the trash is just asking for trouble, as anyone can recover them via dumpster diving. This is why HIPAA requires all covered entities to destroy PHI so personally identifiable data can no longer be obtained from it.
Security and Privacy Officers
Don't forget to assign someone as the Security Officer and Privacy Officer for your practice (it can be the same person; he or she can have other job roles). HIPAA's Administrative Rule requires all covered entities to have both a Security and Privacy Officer, which as the title suggests, is the person responsible for ensuring compliance with the Security Rule and Privacy Rule respectively.
Business Associates Agreement
We've talked about this before on the Allpoint Compliance blog, but it's worth mentioning again that covered entities must have Business Associates Agreements (BAA) in place with all third-parties with whom they do business. The BAA should outline what type of PHI the third-party entities can access and how it can be used.
Covered entities must have procedures and policies in place for regular testing of contingency plans and its respective components.
Maintaining a HIPAA-compliant healthcare practice requires regular work – it's not something you can set and forget. This means performing regular evaluations of your practice to determine whether or not changes need to be made. You have to remember that laws regarding HIPAA and patient privacy are constantly changing, so covered entities must stay on top of the latest laws to ensure compliance.