It seems like everyone loves to name drop HIPAA, the Health Insurance Portability and Accountability Act, but few people actually know what HIPAA is or what it covers.
There were over 2,100 major healthcare data breaches in the eight years preceding 2017. Between the sheer number of data breaches occurring on a seemingly daily basis and the permeability of data to hackers, complying with HIPAA seems like a monumental task. Thankfully, it’s not as difficult as it seems.
Read on to learn how to stay HIPAA compliant.
1. Are You a Covered Entity or a Business Associate?
First things first. HIPAA covers PHI or Protected Health Information. A covered entity is any sort of health plan or health care provider that regularly deals with PHI. This means that they create, maintain, or transmit PHI.
Business associates are people or businesses that provide services to covered entities. That doesn’t mean everyone who does business with a covered entity is a business associate. You are only a business associate if you have access to PHI within the scope of your services to the covered entity.
Covered entities should require business associates to sign an agreement that sets out the scope of their access to PHI. When in doubt, less access is better.
2. Strict Physical & Computer Security Standards
HIPAA isn’t just meant to put a gag on employees discussing protected health information with other people. It also put into place strict physical and computer security standards.
What does this mean? For computer data, you have to make sure that your data is encrypted to NIST standards if it leaves your business’ internal servers. Your internal servers must have a firewall and access controls.
Physical safeguards deal with physical access to ePHI. This means that no matter where it is stored, there must be strict access restrictions to ePHI.
3. Review Your Administrative Policies
Remaining HIPAA compliant means making sure that your internal administrative policies are in line with current HIPAA laws. Be sure to frequently conduct critical checks on your risk management policy.
It’s also important to develop and test a contingency plan for emergency situations. Don’t wait until your business is the target of ransomware to decide how to act! And remember, the more you do to prepare, the better you’ll fare in the event a breach occurs.
4. Training, Training, Training
Ongoing employee training is one of the most powerful tools you have to prevent HIPAA data breaches. Employees should know which information they can share and which they cannot. They also need to know how to properly handle PHI and ePHI.
Why ongoing? As with most laws, HIPAA’s requirements will evolve over time. Even if they stay the same, it is important to refresh your employees’ training to keep them on the up and up.
5. Report When Necessary
It’s tempting to try and hide a breach. A breach is a big deal. But not reporting is the worst thing you can do in the event of a breach.
Have a plan in place regarding your reporting procedure in the event of a breach. How will you notify patients? Be ready to report what type of ePHI was exposed, who obtained access to the ePHI, whether the ePHI was actually viewed, and the risk of damage as a result of the breach.
In all cases, you’ll have to report to OCR promptly. Remember, when a breach affects over 500 people, you have to notify the media, too.
“We don’t pride ourselves on being HIPAA compliants experts, our job is to serve you in times of crisis, and prevent HIPAA violations.”
Are You HIPAA Compliant?
Staying HIPAA compliant doesn’t have to be a daunting task, especially when you have help in the form of web security services.
Between beefing up physical and computer security standards, restricting the access of business associates to PHI, and keeping up with training, your business will be in the free and clear.
Ready to up your HIPAA compliance game? Schedule your free HIPAA risk assessment today!