As you may already know, the Office for Civil Rights (OCR) is currently conducting the second phase of its Health Insurance Portability and Accountability Act (HIPAA) audits. So whether your business operates at a general care practice, chiropractor, dentist or any other covered entity, you should conduct your own internal audit to ensure compliance with HIPAA. Failure to do so could result in hefty fines and/or corrective actions handed down by the OCR in the event of an audit.
Identify Business Associates
Many covered entities fail to properly acknowledge their business associates. As such, they often violate HIPAA by not having the appropriate Business Associates Agreements (BAAs) in place. The HIPAA Privacy Rule requires BAAs whenever a business associate has access to Protected Health Information (PHI). Refer to this article by the Department of Health and Human Services (HHS) for more information on who's a business associate and who's not.
Don't underestimate the importance of encryption when storing, transferring or otherwise handling Electronic Protected Health Information (EPHI). In recent years, more and more covered entities have transitioned from paper files to digital. With this rise of digital media comes a greater need for digital security – something for which encryption can prove useful. Covered entities and their respective business associates should encrypt all EPHI to reduce the risk of unauthorized use or access.
Keep Track of Portable Storage Devices
Even if a portable device on which EPHI is stored is encrypted, covered entities should still use caution to ensure they don't end up in the wrong hands. Lost and stolen devices are an all-too-common problem among healthcare providers. Perhaps a worker left his or her USB flash drive in their car – and someone broke into their car to steal the flash drive. Situations such as this can lead to a HIPAA violation, so don't make the mistake of losing your portable storage devices, especially if they contain EPHI.
Covered entities should also keep their computers secure. As required per the HIPAA Security Rule, EPHI must be protected using a combination of physical, technical and administrative safeguards. In other words, you must protect computers on which EPHI is stored, using both physical and digital measures. Physical safeguards are tangible measures like locked doors and security guards, while technical safeguards are intangible measures like encryption and strong passwords.