Patient financial and medical data is highly sensitive and therefore Medical Practices are required to follow strict HIPAA checklist to safeguard it.
It is important for Medical Practices to familiarize themselves with the HIPAA privacy rule. This rule sets the actual protections that need to be put in place, including both technical and non-technical protocols.
The Department of Health and Human Services (HHS) continues to focus on investigating small breaches, potentially increasing their attention to protecting PHI in the fields of psychology, psychiatry, and mental health.
HIPAA defines these individuals and organizations as covered entities:
These entities process healthcare data from anotherentity into a standard form.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or its business associates. This can be in any form of media, from paper and electronic to verbal communications.
This typically includes — but is not exclusively limited to — the following kinds of patient data:
Names and birthdates
Social Security Numbers
Medical record numbers
Photographs and digital images
Dates pertaining to a patient’s birth, death, treatment schedule, or relating to their illness and medical care
Contact information such as telephone numbers, physical addresses, and email.
Fingerprints and voice recordings
Any other form of unique identification or account number
The most common type of violation is internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked, or a paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.
Here are some of the basic steps you can take to prevent HIPAA violations:
A data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.
Some common causes that can lead to a HIPAA violation are equipment theft, hacking, malware or ransomware, physical office break-in, sending PHI to the wrong party, discussing PHI in public, and/or posting it to social media. Knowing these common violations will help you prevent them from occurring.
A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions to be taken in this instance. Have processes in place in case what HIPAA defines as a minor breach takes place.
A meaningful breach affects over 500 people within a given jurisdiction. They need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties and law enforcement immediately.
Some highlights of the 2022 HIPAA update include potential changes to:
Even though you may have reached HIPAA compliance at present, it’s imperative to monitor the impending 2022 HIPAA update and work with your compliance partner to ensure you comply when it arrives.
Patients’ PHI is now being handled from more locations and in people’s homes on personal devices in many cases. To account for this, the HHS CSC decided to suspend HIPAA-related fines and penalties for a time.
However, the change may or may not be permanent, so extra precautions involving PHI handling in the work-from-home, telehealth-centric era must be taken to ensure compliance over the long haul. You’ll want to tightly define and control device ownership so that it’s crystal clear who is handling what types of PHI.
The HHS has also recently released guidelines for how healthcare organizations need to treat vaccination status as PHI in 2022 and beyond. The current announcement sets forth very specific guidelines as to how, where, and to whom a patient’s vaccination PHI status can be disclosed. Your HIPAA compliance team should carefully review these standards, build the right processes into your compliance plan, and ensure staff only discloses vaccination status in a HIPAA-compliant fashion.
One of the best things you can do is to document as much as possible related to your HIPAA compliance efforts. You may even want to implement custom-build HIPAA compliance software to track things like security measures taken, PHI sharing with other entities and potential breach activity.
If someone’s PHI is compromised, HIPAA sets forth rules for notifying affected individuals. These procedures are set for by the HIPAA Breach Notification Rule. Your cybersecurity policy should have procedures in place for notifying the right parties — including regulators or law enforcement — in sufficient time.
Source: https://www.varonis.com/blog/hipaa-compliance
AltuMED PracticeFit is one of the Industry Leading, HIPAA compliant Medical Billing Software. PracticeFit is the intuitive advocate that your company needs to compete in this cut throat Medical Billing industry. Sign up today and claim your free subscription.
Subscribe to Our Newsletter!
Enter Your Email Address. We Promise We Won't Spam You
Enter your email to receive our newsletter, so you can stay in the loop with our latest promos.
Subscribe to Our Newsletter!
Enter your email address to
receive "Go Practice" as an email newsletter.