As the Department of Health and Human Services (HHS) gears up for its next round of HIPAA audits, doctors and other covered entities are scrambling to ensure they are fully compliant. Each year, the HHS issues hefty fines – and in some cases, criminal penalties – to practices that violate the HIPAA Rules. And don't assume that ignorance is an excuse for failing to be compliant, as the HHS will still cite offending practices for their negligence. So, what steps can you take to prepare for a HIPAA audit?
Privacy and Security Officers
One all-too-common HIPAA violation among healthcare practices is failing to designate a privacy and security officer. The Health Insurance Portability and Accountability Act of 1996 requires all covered entities to have both of these positions filled. The privacy officer is responsible for ensuring the practice is compliant with the HIPAA Privacy Rule, whereas the security officers job is to maintain compliance with the HIPAA Security Rule. Keep in mind that the same person can be both the privacy and security officer. Also, this individual may have other roles and/or responsibilities.
Up-To-Date Privacy Policies
Make sure all of your healthcare practice's privacy policies are up to date and compliant with HIPAA. It's not uncommon for doctors to use the same policies year after year, paying little-to-no attention to new laws regarding patient privacy. As a result, they place themselves at risk for violation during HIPAA audits.
Protected Health Information Disposal
How does your practice dispose of Protected Health Information (PHI)? Under HIPAA, practices must completely destroy PHI so no personally identifiable information can be obtained from it. Simply tossing patient files in the trash can won't suffice, as someone could retrieve them by “dumpster diving.” Shredding and/or incinerating, on the other hand, will prevent this from happening by completely destroying the files.
What measures does your healthcare practice take to protect its data from cyber attacks? In the past, this wasn't an issue, as hackers generally targeted financial institutions. But the times have changed, and now hackers have their crosshairs focused on healthcare practices. HIPAA places the burden of cybersecurity on the shoulders of the respective healthcare practice, meaning those who fail to implement the necessary safeguards could be found in violation of HIPAA.