The Office for Civil Rights (OCR) is currently conducting the second phase of its Health Insurance Portability and Accountability Act (HIPAA) audits. This means doctors, physicians, chiropractors, dentists and other covered entities – along with their business associates – can expect to see greater enforcement efforts. While a nuisance for many healthcare practitioners, HIPAA audits play an important role in protecting the privacy and confidentiality of patients. So, what steps can you take to ensure compliance with HIPAA and its rules?
Review PHI Disposal Practices
How does your practice handle the disposal of Protected Health Information (PHI)? The OCR requires covered entities and their business associates to fully destroy PHI so that it cannot be recreated or otherwise retrieved. As such, throwing away a patient's paper medical record typically does not suffice. Acceptable forms of disposal for paper PHI include shredding, burning and/or pulverizing.
Review Business Associates Agreements
Assuming your practices does business with a third party – and that third party has access to PHI – you should review your Business Associates Agreements (BAA). These documents are critical when conducting business with a third party. Unfortunately, many covered entities turn a blind eye to BAAs, believing they aren't necessary. Only later, however, do they discover that failure to create and maintain appropriate BAAs is a serious HIPAA violation.
Check Your Website
You should also check your healthcare practice's website to ensure it's not violating HIPAA or its rules. Many covered entities allow patients to update their information online – and that's okay. However, if the information is classified as PHI (or ePHI in this case), you must follow the Security Rule. This means implementing a combination of physical, administrative and technical safeguards to protect the PHI from unauthorized use and access.
Encryption is no longer something that covered entities can ignore. It's a simple yet highly effective way to safeguard ePHI, protecting it from unauthorized use and access. And as stated in the Security Rule, covered entities should encrypt data when deemed useful and appropriate.
Of course, there's no better time than the present to review your policies and procedures for handling PHI. Are you obtaining authorization from patient's before disclosing their PHI? If not, you should be. While there are a few exceptions in which this isn't necessary, it's typically required in most situations.