As the first quarter draws to a close, there's no better opportunity for healthcare practitioners to conduct an internal audit of their practice's Health Insurance Portability and Accountability Act (HIPAA) policies. The Office for Civil Rights (OCR) has been increasing its HIPAA enforcement efforts in recent months, handing out more fines to covered entities and business associates who violate this federal law. So, what steps can you take to ensure compliance with HIPAA?

Review ePHI Safeguards

The HIPAA Security Rule requires covered entities to implement a combination of physical, technical and administrative safeguards to prevent the unauthorized access of Electronic Protected Health Information (ePHI). Physical safeguards are tangible preventative measures that you can see and feel, such as locked doors and privacy screen protectors. Technical safeguards are intangible preventative measures, such as encryption and network monitoring. Administrative safeguards are policies and plans used to protect ePHI.

Review Your Business Associates Agreements

Assuming you conduct business with third parties, you should review the business associates agreements (BAA) you have in place with those third parties. HIPAA requires all covered entities to create and maintain BAAs when a third party has access to their Protected Health Information (PHI). Failure to create a BAA is one of the most common HIPAA violations cited by the OCR.

Change Passwords

When was the last time that you changes your user account passwords? Even if you've never experienced a breach, you should still change your account passwords on a regular basis. This is a quick and easy way to reduce the risk of a data breach.

Review Patient Authorization Forms

Covered entities should also review their patient authorization forms to ensure they comply with HIPAA and its respective rules. Patient authorization forms are used when a covered entity must transfer a patient's personal information to another entity, such as a business associate. While covered entities are allowed to use a patient's personal information for specific reasons, such as facilitating immediate medical care, authorization forms are still needed in many scenarios.

Protect Electronic Devices

If your practice stores ePHI on devices such as laptops, tablets and smartphones, you should take measures to ensure the ePHI is protected from unauthorized access and use. If a laptop becomes stolen, will the thief have access to patient information? Encrypting data and setting up a remote wipe feature is a simple solution to protect against problems such as these.

Subscribe to our mailing list

* indicates required