The Health Insurance Portability and Accountability Act of 1996 (HIPAA, as it’s known today) is a compliance law that affects every American business that deals with medical data.
Failure to comply with the stringent regulatory practices usually put patient health information at risk. The penalties for these violations can be severe, ranging from $100 to $50,000 per violation (or even per record), with a maximum of $1.5 million.
Some may scoff at a mere $1.5 million cap. However, there are also the reputational damages to be calculated. Often times, people won’t want to do business with organizations that are repeatedly fined and that take a lax stance on personal data.
In other words, HIPAA compliance is important. You’ll want to ensure you’re following regulations while staying up to date with them – and here’s a 4-step checklist to do exactly that.
1. Ensure you’ve got unified communications for electronic transmissions
Part of HIPAA Rule: “Transactions and Code Sets”
It’s hard to keep track and standardize patient data transference if your organization is using a myriad of different communication platforms. It’s not a difficult challenge to overcome.
How to follow through with it: Pick a compliant electronic health record (EHR) system that can do it all for you. With the right EHR at your disposal, your encryptions and transmission formats are already handled for you.
Speaking to the EHR vendor prior to implementation is the key to ensuring that it fulfills your specific data transfer requirements to be HIPAA compliant.
2. Get your unique identifiers under wraps
Part of HIPAA Rule: “Identifier Standards”
Each individual or organization that has anything to do with healthcare must have a 10-digit National Provider Identifier (aka an NPI). This ensures that doctors and organizations with the same (or similar) names don’t get confused. Since each number is completely unique, there’s no crossed wires.
How to follow through with it: If you’re working in healthcare, there’s a very good chance that you’ve already got an NPI in place. If not, check with the National Plan and Provider Enumeration System (NPPES) to get one.
3. Protect the privacy of your patients
Part of HIPAA Rule: “Patient Privacy”
This is what most people think of when they say “HIPAA”. This rule is all about protecting individually identifiable health information that’s held either digitally, on paper, or even orally. It’s known as “protected health information”, or PHI for short.
How to follow through with it: It’s a bit long to put into a blog post, but you should take the time to read through the privacy rule as dictated by the Health & Human Services (HHS) department. Highlights include:
- Designating a privacy official that is tasked with developing and implementing the actual privacy policies, as well as receiving a requests and complaints in regards to the privacy rule.
- Keep all disclosures of PHI with your practice.
- Create a notice of privacy practices that your organization follows. You can follow the HHS standard for this, which is a lot better than creating your own.
- Actively train your staff on security best practices and ensure that they’re diligent in keeping patient data safe.
There’s a lot to this rule, so it’s worth carrying a conversation with professionals that live in the world of compliance.
4. Ensure you’re securing your electronic medical information
Part of HIPAA Rule: “Security Rule”
The security rule applies is applicable to your practice if you “receives, maintains or transmits communications in electronic form.” Since it’s 2019, it’s safe to say that this will apply to you.
Pragmatically, it means that you’ll need to ensure that you’re consistently performing a risk analysis reports to address potential gaps in your security.
How to follow through with it: Run a thorough risk analysis for electronic PHI. Once that’s completed, shore up the gaps that correspond to the following areas:
Once you’re sure that you’ve taken the necessary steps to securing those areas, document everything. Repeating those steps from time to time is enough to pass this section of the compliance requirements.
Want to learn more about compliance? Check out our blog on PCI compliance.