Many independent doctors turn a blind eye to Health Insurance Portability and Accountability Act (HIPAA) compliance. They assume compliance is handled by the hospital or network under which they operate. In reality, however, independent doctors have an equal amount of responsibility regarding Protected Health Information (PHI). Violations – blatant or otherwise – could result in direct action being taken against the doctor.
Covered entities, including independent doctors and physicians, must implement physical safeguards to protect their patients' information. While HIPAA doesn't name any specific physical safeguards, some examples include locked doors, privacy screen protectors, locked file cabinets, and locked windows. As the name suggests a physical safeguard consists of some tangible element used to reduce the risk of PHI disclosure.
Technical safeguards should also be used to reduce the risk of PHI disclosure. One of the most common types of technical safeguards is data encryption. In the recent case of Anthem, Inc., investigators determined that it had not encrypted its patients' information, which subsequently led to the disclosure of millions of files. Independent doctors and physicians should put forth the effort to encrypt their PHI, as this simple technical safeguard can make a world of difference in the security of your patients' files.
A third type of safeguard that all covered entities are required to implement is administrative. Administrative safeguards consist of organization, procedures and maintenance of internal security measures used to protect PHI from disclosure. This catch-all term involves the assignment of both a Security Officer and Privacy Officer (note: you can designate a single person for both of these roles), as well as training staff on HIPAA Rules.
HIPAA Compliance Tips For Independent Doctors:
- Implement physical, technical and administrative safeguards.
- Properly dispose of paper files by either shredding and/or incinerating.
- Review contracts with third-party business associated who handle or otherwise have access to your company's PHI. With the addition of the Omnibus Rule, business associated of covered entities are required to implement the same safeguards and measures as the entity.
- Conduct a risk assessment to determine whether or not PHI is vulnerable.
- Create and routinely analyze your company's written policies regarding HIPAA compliance.
- Ensure that any email services used by your company meed HIPAA standards.
- Don't assume that “secure” texting apps make it OK to text PHI to patients.