Health Insurance Portability and Accountability Act (HIPAA) compliance affects more than just hospitals and large healthcare practices; it also affects small “family-care” physicians and practices. Originally passed by Congress back in 1996, HIPAA consists of multiple rules and laws pertaining to patient privacy that covered entities must follow. Failure to do so could result in civil fines, or in extreme cases, criminal action. So, what steps can you take as a family-care physician to ensure compliance with HIPAA?
Using Cloud Services? Be Sure to Create BAAs.
It's not uncommon for family-care physicians to store Electronic Protected Health Information (PHI) on cloud-based services like Google Drive. This offers several key benefits, such as the ability to access data from any Internet-connected computer, as well as reduced physical hard disk storage requirements. However, cloud services may also pose a risk in terms of patient privacy, which is why it's important for family-care physicians to create Business Associates Agreements (BAA) for any cloud-based service provider with whom they do business.
Conduct Risk Analyses
As a covered entity, it's your responsibility to conduct regular risk analyses, looking for signs of weakness and determining which points of your system are vulnerable to hacking and other forms of nefarious attacks. Many family-care physicians overlook this fundamental step, placing them at a greater risk for data breach.
Technical, Physical and Administrative Safeguards
Arguably, the single most important step towards remaining compliant with HIPAA is the implementation of technical, physical and administrative safeguards. Technical safeguards involve the use of firewalls, virus scanners and other digital measures to protect EPHI, while physical safeguards are tangible measures like locked doors and windows. Administrative safeguards, as the name suggests, consists of policies and procedures that are intended to protect against unauthorized use or disclosure of PHI.
Hopefully, it never happens to your practice, but if you ever experience a breach involving PHI (paper or digital), you'll need to notify HHS ASAP. For breaches involving 500 or more patients, the Secretary must be notified within 60 days from the discovery of the breach. For breaches involving 500 or fewer patients, HHS must be notified within 60 days from the end of calendar year during which the breach occurred.
For more information on how and when to report breaches of PHI, check out the Department of Health and Human Services' (HHS) webpage at http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html.