With phase 2 of Health Insurance Portability and Accountability Act (HIPAA) audits right around the corner, there's no better time than now for doctors and covered entities to prepare themselves. The Office for Civil Rights (OCR) has been handing out violations more frequently as of late. According to the official Department of Health and Human Services (HHS) website, the OCR has investigated 34,975 complaints from April 2003 to December 2015, 24,047 of which required corrective action.
Rather than crossing your fingers and hoping that you don't get audited, you should take a proactive approach towards ensuring your healthcare facility is compliant with HIPAA. Doing so will give you peace of mind knowing that you'll pass an audit without facing fines and/or corrective actions.
Privacy and Security Officer
Many covered entities overlook the importance of designating a privacy and security officer, assuming it offers little to no benefit. Regardless, though, HIPAA requires all covered entities to have both of these job roles filled. Failure to do so could result in a violation if you are audited. The good news, however, is that the privacy and security officer can be the same person, meaning there's no need to designate two different separate workers for these positions.
What type of safeguards do you have in place to protect against the unauthorized access and use of Electronic Protected Health Information (EPHI)? Covered entities must use a combination of technical, administrative and physical to protect patients' digital files from unauthorized use. As noted by the Department of Health and Human Services (HHS) website, however, these safeguards only apply to electronic forms of PHI and not oral or written.
It should come as little-to-no surprise that improper disposal of PHI is among the most frequently cited HIPAA violations. Far too many doctors and covered entities dispose of sensitive patient files by tossing them in the trash. HIPAA, however, requires that PHI be destroyed to the point where no personally identifiable information can be retrieved. Incinerating, burning and shredding will typically do the trick.
Business Associates Agreement
Make sure you have the necessary Business Associates Agreements (BAAs) in place for any and all third-party organizations with whom you do business that handle PHI. Whether it's another healthcare facility, cloud storage provider, or even a mHealth app developer, HIPAA requires all covered entities to create BAAs when conducting business with another entity that accesses or facilitates their PHI.