If you are a health care provider, plan or clearinghouse, you are considered a “covered entity” by HIPAA (Health Insurance Portability and Accountability Act of 1996). This means that you must comply with the provisions of this law intended to protect patient health information and at the same time make electronic health information exchange more efficient. Furthermore, if you have a contract with the entities above that requires access to patient heath information, that makes you a “business associate” and are also covered by the expanded HIPAA provisions of the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009). Health information is considered “protected” – “Protected Health Information” or PHI for short – if it pertains to health condition, as well as corresponding care and payment, that can be reasonably attributable to a specific individual.
Compliance with this law however requires putting together an entire program that many providers struggle with their stretched resources and sometimes complicated IT requirements.
Here are ten items that I hope will help you get started or reinforce your existing program. Certainly, a comprehensive HIPAA program includes details and items that go beyond these items and this isn’t intended as a legal checklist. It nevertheless describes many of the key elements and shares links to go deeper if you wish.
- Have a Business Associate Agreement Signed with all your business associates. In a nutshell, “business associates” get access to and process PHI but do not directly provide healthcare (like medical transcriptionists or billing companies). This agreement defines responsibilities and required procedures pertaining to their handling of PHI. Templates are available online. Information as well as some wordings for a Business Associate Agreement is available here – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
- Do a risk assessment of your operations. Since each operation is different, the likely areas for breach (or unencrypted PHI getting out) vary. For example, some providers may have one laptop while others might have hundreds. Furthermore, risk of harm to the patient can be less serious for situations like say being publicly seen entering a clinic for flu shots compared to a drug rehab facility. A risk assessment will both guide you develop the appropriate measures as well as provide a way of explaining to auditors why certain decisions have been made. A security risk assessment tool is available here – http://www.healthit.gov/providers-professionals/security-risk-assessment
- Have written privacy and security procedures developed for your practice. Following the risk assessment, you should put in writing (and update regularly) your privacy and security procedures. Employees should be well versed with this document.
- Train all your personnel on PHI privacy. All new employees should be trained on HIPAA and current employees should be periodically reoriented. Make sure these training exercises are documented. It is recommended that the training covers HIPAA, the privacy provisions under the HITECH Act as well as state health privacy laws.
- Assign a Privacy Officer in your organization. You’ll need a point person (internally and externally) in charge of keeping the procedures relevant as well as facilitating training and other program activities.
- Make sure all your patients read or at least acknowledge access to your Notice of Privacy Practices. This document, ideally should be part of your new patient packet as well as displayed prominently in your facility. It describes the rights of your patients in regards to their health information. Sample notices are available here – http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
- Implement your Physical security. Ask the questions: Do you have control over who has physical access to your network and servers 24×7? Are your routers, back up drives and servers located in a restricted area? Do you know at all times exactly who has the keys and who knows the entry codes? If not, now is the time to fix it.
- Make sure you have reliable and secure Data backups for electronic PHI. The HIPAA security final rule basically says that PHI data backups are not optional, they’re required – they should be verified, must have offsite versions and must be documented. Ask your electronic medical records/practice management vendors about their recommendations for backup. Here’s some info on HIPAA compliant backup – http://www.hbma.org/news/public-news/n_the-truth-about-hipaa-hitech-and-data-backup
- Secure your network. Your internal network should not be accessible to party crashers. You should have your own router that is separate from the one provided by your internet service provider. This is your main gate and entry point from the outside and should be set up by an IT professional. You should have a separate office-network wifi from guest wifi; the latter being set up between your router and your internet providers own modem/router. Employee access for personal purposes (smart phones and tablets) should only use the guest network. And if any PHI has to go past your “gate” (main router), it should always be encrypted (i.e. look for the “s” in “https” for sites in you browser, or “ftps”/”sftp” for file transfer). Other risks to watch out for are USB drives, network wall plugs and a loose password policy.
- Have a protocol for PHI external requests. HIPAA allows (and requires under certain conditions) PHI to be disclosed to specific parties (i.e. request by a patient or by their attorneys, or an approved research study) for a reasonable charge and within a time window. Many of these requests are routine but note that they must be compliant to HIPAA standards. Information we provide must he the “minimum necessary” to satisfy the request and disclosure is documented (normally not an issue of the patient directly makes the request or is made by another health provider as part of that patient’s care). Note too that not just HIPAA but other federal, state and local laws may come into play so it is best to know these rules beforehand rather than do the research when you receive the request.
Here’s some guidance if you receive a PHI request – http://www.proassurance.com/newsletter/default.aspx?f=a&k=53.
Here’s a reference for “minimum necessary “ – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.html.
You may contact the author at firstname.lastname@example.org