With the second round of audits right around the corner, there's no better time than now for doctors and physicians to ensure their practice is compliant with the Health Insurance Portability and Accountability Act (HIPAA). As you may already know, the HIPAA Security Rule requires covered entities to implement the appropriate administrative, physical and technical safeguards to prevent unauthorized access of Electronic Protected Health Information (ePHI). To learn more about the HIPAA Security Rule and tips for doctors to follow, keep reading.
The first step in ensuring your practice is compliant with the HIPAA Security Rule is to limit access and control to unauthorized individuals while allowing authorized individuals to access the facility. Technical jargon aside, this means storing ePHI in a room that's off limits to patients and the general public. If your practice has an office in which ePHI or stored, for instance, make sure the door is kept locked and the appropriate employees have a key to it.
What exactly is access controls? Well, it's pretty much exactly what it sounds like: controlling who can access ePHI and who cannot. A simple yet effective form of access control is to provide employees with a unique username and password to log into the system. In order to access ePHI, the employee must then enter his or her username and password. This is known as “technical safeguard,” which is one of the many requirements of maintaining a HIPAA-compliant practice.
Another technical safeguard is transmission security. Sending ePHI over an unprotected, unencrypted channel is just asking for trouble. In most cases, nothing will happen, but there's always the chance of someone eavesdropping on your transmission and stealing your practice's ePHI. This is why the Department of Health and Human Services requires all covered entities to implement appropriate and meaningful measures to secure their transmissions.
Does your practice have a security officer? If not, you may unknowingly be in violation of HIPAA. As part of the HIPAA Administrative Rule, covered entities must designate a security officer for developing and implementing security policies and procedures. Note: the security officer can be the same person as the privacy officer. The bottom line, however, is that all covered entities must have a security officer to remain complaint with the HIPAA Administrative Rule.