As the first quarter draws to a close, there's no better opportunity for healthcare practitioners to conduct an internal audit of their practice's Health Insurance Portability and Accountability Act (HIPAA) policies. The Office for Civil Rights (OCR) has been increasing its HIPAA enforcement efforts in recent months, handing out more fines to covered entities and business associates who violate this federal law. So, what steps can you take to ensure compliance with HIPAA?
Review ePHI Safeguards
The HIPAA Security Rule requires covered entities to implement a combination of physical, technical and administrative safeguards to prevent the unauthorized access of Electronic Protected Health Information (ePHI). Physical safeguards are tangible preventative measures that you can see and feel, such as locked doors and privacy screen protectors. Technical safeguards are intangible preventative measures, such as encryption and network monitoring. Administrative safeguards are policies and plans used to protect ePHI.
Review Your Business Associates Agreements
Assuming you conduct business with third parties, you should review the business associates agreements (BAA) you have in place with those third parties. HIPAA requires all covered entities to create and maintain BAAs when a third party has access to their Protected Health Information (PHI). Failure to create a BAA is one of the most common HIPAA violations cited by the OCR.
When was the last time that you changes your user account passwords? Even if you've never experienced a breach, you should still change your account passwords on a regular basis. This is a quick and easy way to reduce the risk of a data breach.
Review Patient Authorization Forms
Covered entities should also review their patient authorization forms to ensure they comply with HIPAA and its respective rules. Patient authorization forms are used when a covered entity must transfer a patient's personal information to another entity, such as a business associate. While covered entities are allowed to use a patient's personal information for specific reasons, such as facilitating immediate medical care, authorization forms are still needed in many scenarios.
Protect Electronic Devices
If your practice stores ePHI on devices such as laptops, tablets and smartphones, you should take measures to ensure the ePHI is protected from unauthorized access and use. If a laptop becomes stolen, will the thief have access to patient information? Encrypting data and setting up a remote wipe feature is a simple solution to protect against problems such as these.