Properly Dispose of Records
The keyword here is “properly.” We talked about this in a previous blog post, but in case you missed it a Denver-based pharmacy was recently fined $125 by the Department of Health and Human Services (HHS) for disposing of customers' records in a publicly accessible dumpster. HIPAA states that Protected Health Information (PHI) must be destroyed to the point where personally identifiable information can no longer be obtained from it.
Create Business Associates Agreements
If your practices conducts business with third-party entities, and those entities access or handle PHI, you must create Business Associates Agreement (BAA) for them. BAAs outline the manner in which the third-party entities is allowed to use the PHI. The recent addition of the HIPAA Omnibus Rule added this requirement to the existing set of HIPAA Rules, so make sure you have BAAs in place for all of your business associates.
Designate a Privacy and Security Officer
Even if you believe your practice's PHI is safe and secure, you should still designate a worker to be the Privacy Officer and Security Officer. HPAA requires all covered entities to have these roles, and failure to do so could result in a fine. The Privacy Officer, as the name suggests, is responsible for ensuring the entity abides by the HIPAA Privacy Rule, whereas the Security Officer pertains to the HIPAA Security Rule. The Privacy Officer and Security Officer can be the same person, and they are also allowed to have other titles and/or job responsibilities.
Technical and Physical Safeguards
Covered entities must implement meaningful and reasonable technical and physical safeguards to protect PHI from unauthorized access. Physical safeguards may consist of things like locked doors to computer rooms, privacy screens, etc., whereas technical safeguards include encryption technology, firewalls, virus scanners, unique user identifications, and more. Make sure you have both technical and physical safeguards in place; otherwise, your practice could be found in violation of the HIPAA Security Rule.
Perform an Internal Audit
Why should you want for the HHS to audit your practice? A smarter choice is to perform an internal audit of your practice and its related systems, checking to see whether or not you are compliant. Of course, you'll need to familiarize yourself with the HIPAA Rules beforehand, but thankfully there are training programs available specifically for this reason.