In case you didn't get the memo, the Office for Civil Rights (OCR) is preparing to conduct its second phase of Health Insurance Portability and Accountability Act (HIPAA) audits. While they've yet to announce an official date, sources say it will likely begin early next year. Doctors should use this time to conduct their own internal audits, ensuring they are compliant with the HIPAA Security, Privacy, and Breach Notification Rules.
Privacy and Security Officer
One of the most common HIPAA violations among doctors is failure to designate a Privacy and/or Security Officer. As part of the Health Insurance Portability and Accountability Act of 1993, all doctors and other covered entities must designate a worker for these two roles. The same worker can be both the Privacy and Security Officer, or there can be two separate workers for these roles. Regardless, doctors must designate someone for these roles; otherwise, they could be found in violation of HIPAA during the next round of audits.
Medical Device Security
Modern-day technology has revolutionized the medical field, largely for the better. Whether it's a tablet, smartphone, wearable electronic wristwatch, patient monitoring system, etc., these are just a few of the many devices that are commonly used in the medical field. If your practice uses devices such as these, you need to follow some basic measures to ensure patient data is safe and protected against unauthorized access. This includes the implementation of physical, technical and administrative safeguards, all of which pertain to HIPAA.
Disposal of Protected Health Information
How does your healthcare practice dispose of Protected Health Information (both paper and digital)? Simply tossing old patient files in the trash is just asking for trouble. There have been numerous cases in which patients' medical records have been recovered through dumpster diving; thus, placing the healthcare practice at risk for a HIPAA violation.
Unique User Identification
Each and every user who has access to your network should be given a unique identification name or number. The purpose for this is to track the behavior of users. If a breach occurs, for instance, the practice can check to see who was online during the time of the incident.
Covered entities should implement automatic logoff technology in which users are automatically kicked off the network after idling for a certain period of time. Without a feature such as this, someone could impersonate an actual employee, gaining access to patient files or other PHI/EPHI.