A review at what was included in 2022 HIPAA compliance checklist -

A review at what was included in 2022 HIPAA compliance checklist?

Patient financial and medical data is highly sensitive and therefore Medical Practices are required to follow strict HIPAA checklist to safeguard it.

It is important for Medical Practices to familiarize themselves with the HIPAA privacy rule. This rule sets the actual protections that need to be put in place, including both technical and non-technical protocols.

1. Understand HIPAA Privacy and Security Rules 2022

The Department of Health and Human Services (HHS) continues to focus on investigating small breaches, potentially increasing their attention to protecting PHI in the fields of psychology, psychiatry, and mental health.

2. Determine if the Privacy Rule affects you

HIPAA defines these individuals and organizations as covered entities:

Health care providers
Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing homes
Pharmacies
Health Plan
Health insurance companies
HMOs
Company health plans
Government-provided health care plans
Healthcare clearinghouses

These entities process healthcare data from anotherentity into a standard form.

3. Protect the right types of patient data

The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or its business associates. This can be in any form of media, from paper and electronic to verbal communications.

This typically includes — but is not exclusively limited to — the following kinds of patient data:

Names and birthdates

Social Security Numbers

Medical record numbers

Photographs and digital images

Dates pertaining to a patient’s birth, death, treatment schedule, or relating to their illness and medical care

Contact information such as telephone numbers, physical addresses, and email.

Fingerprints and voice recordings

Any other form of unique identification or account number

4. Prevent potential HIPAA violations

The most common type of violation is internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.

A workstation left unlocked, or a paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.

Here are some of the basic steps you can take to prevent HIPAA violations:

Understand data breaches

A data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.

Recognize common violations

Some common causes that can lead to a HIPAA violation are equipment theft, hacking, malware or ransomware, physical office break-in, sending PHI to the wrong party, discussing PHI in public, and/or posting it to social media. Knowing these common violations will help you prevent them from occurring.

Anticipate a minor breach

A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions to be taken in this instance. Have processes in place in case what HIPAA defines as a minor breach takes place.

Prep for a meaningful breach

A meaningful breach affects over 500 people within a given jurisdiction. They need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties and law enforcement immediately.

5. Stay updated on HIPAA changes

Some highlights of the 2022 HIPAA update include potential changes to:

Patient acknowledgment of notice of privacy practices
The minimum necessary standard for PHI protection
Allowable disclosures related to care coordination and case management
Disclosures of PHI for health emergencies
Citizens’ rights to access their protected health information (PHI)
Fees that organizations may charge individuals to access PHI

Even though you may have reached HIPAA compliance at present, it’s imperative to monitor the impending 2022 HIPAA update and work with your compliance partner to ensure you comply when it arrives.

6. Know how COVID affects HIPAA

Patients’ PHI is now being handled from more locations and in people’s homes on personal devices in many cases. To account for this, the HHS CSC decided to suspend HIPAA-related fines and penalties for a time.

However, the change may or may not be permanent, so extra precautions involving PHI handling in the work-from-home, telehealth-centric era must be taken to ensure compliance over the long haul. You’ll want to tightly define and control device ownership so that it’s crystal clear who is handling what types of PHI.

The HHS has also recently released guidelines for how healthcare organizations need to treat vaccination status as PHI in 2022 and beyond. The current announcement sets forth very specific guidelines as to how, where, and to whom a patient’s vaccination PHI status can be disclosed. Your HIPAA compliance team should carefully review these standards, build the right processes into your compliance plan, and ensure staff only discloses vaccination status in a HIPAA-compliant fashion.

7. Document everything

One of the best things you can do is to document as much as possible related to your HIPAA compliance efforts. You may even want to implement custom-build HIPAA compliance software to track things like security measures taken, PHI sharing with other entities and potential breach activity.

8. Report data breaches

If someone’s PHI is compromised, HIPAA sets forth rules for notifying affected individuals. These procedures are set for by the HIPAA Breach Notification Rule. Your cybersecurity policy should have procedures in place for notifying the right parties — including regulators or law enforcement — in sufficient time.

Source: https://www.varonis.com/blog/hipaa-compliance

AltuMED PracticeFit is one of the Industry Leading, HIPAA compliant Medical Billing Software. PracticeFit is the intuitive advocate that your company needs to compete in this cut throat Medical Billing industry. Sign up today and claim your free subscription.

Subscribe to Our Newsletter!

Relevant Articles

HIPAA Compliance Proposed Changes – A feature for Medical Billing Companies

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.