Do you own or otherwise operate a healthcare practice in the U.S.? If so, you should be aware of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implications. Ignorance is no excuse for the law, and turning a blind eye to HIPAA could result in fines or even criminal penalties. Just months ago, a Denver-based pharmacy was fined a whopping $125,000 for failure to properly dispose of customers' records – blatant HIPAA violation. So, how can you protect yourself from fines and penalties?
Know The Rules
Trying to understand HIPAA can be confusing, especially for individual who are unfamiliar with it. However, the Department of Health and Human Services (HHS) makes it easy by breaking it into several sections, or Rules. This includes the Security, Administrative and Privacy Rule, each of which has its own set of standards. One of the first steps towards becoming HIPAA-compliant is to understand these Rules and what they entitle.
Respect Patient Privacy
It's not uncommon for healthcare workers to gossip amongst themselves about various patients. While this type of banter may seem harmless enough, it could be in direct violation of HIPAA. If a worker reveals information that's deemed to be “Protected Health Information” to someone whom isn't authorized to receive it, the practice is violating the HIPAA Privacy Rule. When in doubt, err on the side of caution and try to remain silent.
Disposal of Documents
As we mentioned earlier, pharmacies and other covered entities can be fined for improper disposal of patients' and/or customers' documents. HIPAA requires all PHI to be destroyed in a manner that prevents reconstruction of any personally identifiable information. Some suitable methods may include shredding or burning. For data storage devices, the information should be wiped clean before the device is discarded or given away.
Cybersecurity is a key element of HIPAA, which is apparent from all of the recent attacks involving healthcare facilities and insurance providers. Failure to implement the necessary measures to protect your patients' data from unauthorized use could result in a violation. The HHS states that covered entities must use a combination of physical, technical and administrative safeguards to protect PHI. Physical safeguards may include locked doors and privacy screens, whereas technical safeguards are firewalls and virus scanners, and administrative safeguards is the designation of a privacy officer.