HIPAA Compliance: What you need to know

 

Many organizations are transitioning from paper to digital information systems, such as client management, Electronic Health Record (EHR), and Computerized Physician Order Entry (CPOE) software. These types of systems enable providers to give higher quality health care to clients by allowing collaboration with colleagues and access to personal information from remote locations. However, the shift to digital records brings new risks to organizations that can compromise patient confidentiality and result in HIPAA compliance violations.

 

The Health Insurance Portability and Accountability Act (HIPAA) require health related organizations to protect information by ensuring patient privacy. The rules of HIPAA are to:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information your organization creates, receives, maintains or transmits.

• Identify and protect against reasonably anticipated threats to the security or integrity of the information.

• Protect against reasonably anticipated, impermissible uses or disclosures.

• Ensure compliance by your workforce.

 

According to YourDictionary.com, the most common HIPAA compliance violations include:

• Failure to follow the authorization expiration date: Clients can set a date when their authorization expires. An organization releasing confidential records after that date would be violating HIPAA rules.

• Failure to promptly release information to patients: According to HIPAA, a client has the right to receive electronic copies of medical records on demand.

• Improper disposal of patient records: Shredding is necessary before disposing of client records.

• Insider snooping: This refers to family members or co-workers looking into a person’s medical records without authorization.

• Missing patient signature: Any HIPAA forms without the client’s signature is invalid, so releasing information would be a violation.

• Releasing information to an undesignated party: Only the exact person listed on the authorization form may receive client information.

• Releasing unauthorized health information: This refers to releasing the wrong document that has not been approved for release. A client has the right to release only parts of their medical record.

• Releasing wrong client's information: Through a careless mistake, someone releases information to the wrong person. This sometimes happens when two clients have the same or similar name.

• Right to revoke clause: Any forms a client signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA compliance regulations.

• Unprotected storage of private health information: A good example of this is a laptop that is stolen, then thieves selling confidential information. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.

 

The consequences of not following HIPAA compliance standards include:

• Fines of at least $50,000, but could possibly go into the millions
• Audits
• Imprisonment of up to a year
• Legal action from patients

 

In order to ensure HIPAA compliance, your organization needs to:

• Implement written security policies and procedures: Your organization must set rules for acceptable use for accessing, storing, sharing, and protecting patient information. You’re your employees that failure to follow this policy can result in job loss and possible criminal prosecution. SwiftTech Solutions IT support can create this policy and procedures document for your organization.

• Employees must protect their office workspace: Your staff members should monitor any computers, monitors, printers, and fax machines they use closely and shield confidential information from prying eyes. Log out from your computer when you step away from it and lock up workplace mobile devices when not in use.

• Get client consent before releasing personal information to third parties: First, your organization should make sure to the client approves a document for release, typically with a signature. Once permission is granted for sharing information with third parties, obey the authorized expiration date stated by the form. Finally, your organization should inform patients they have the right to remove consent to access their confidential medical information.

• Use a strong anti-virus/anti-malware software and update it regularly: Viruses and malware can invade your computer from untrusted websites, email attachments, and file downloads. If you’re using the free AVG anti-virus protect software, this will not provide enough protection. We recommend using endpoint protection software, such as Symantec Endpoint Protection and Trend Micro Worry-Free Security Services. This software combines virus and malware protection, firewall program, and web browser security.

• Create a backup and disaster recovery plan: SwiftTech strongly recommends data backups to an onsite and offsite location. For example, Veeam Backup and Replication can archive your information to an onsite device dedicated to disaster recovery and offsite to a cloud storage provider, such as Windows or Amazon. If disaster does strike and, for example, a flood destroys your laptop, you can access your data from the cloud and resume your work on another device. Plus, the latest backup methods employ sophisticated methods of encryption so unauthorized individuals cannot access your confidential business data easily.

• Manage your passwords securely: Do not share passwords nor leave them on a piece of paper in your desk drawer. Consider a password service for managing your website login information. Imprivata OneSign Single Sign-On will create hard to crack passwords, store them, and automatically fill in your information when you go to the application of your choice.

• Encrypt sensitive organizational emails: McAfee SaaS Email Protection & Continuity will allow your organization to protect confidential outbound email with gateway-to-gateway encryption. Also, McAfee SaaS Email Archiving will provide encrypted storage of old emails in the cloud.

• If using Windows XP, upgrade your operating system: Microsoft ended support for Windows XP on April 8, 2014, which means they will no longer be offering security updates. Unpatched operating systems leave computers vulnerable to malware that can damage, leak, or even wipe out patient data. Your organization should update computer operating systems to Windows 7 or 8 to ensure continued security updates.

 

SwiftTech Solutions can help your organization follow HIPAA compliance data protection standards. Our IT consultants can help your organization with weekly HIPAA preparation audits, O.S. vulnerability inspections, external intrustion testing, and much more.  You can call 877-794-3811 or email This email address is being protected from spambots. You need JavaScript enabled to view it. for a free analysis.

 

SOURCES

YourDictionary.com. Examples of HIPAA Violations. Retrieved from: http://examples.yourdictionary.com/examples-of-hipaa-violations.html

Wlodarz, D. 5 big myths surrounding computer security and HIPAA compliance. (2013, September). Retrieved from: http://betanews.com/2013/09/02/5-big-myths-surrounding-computer-security-and-hipaa-compliance/

Kibbe, D. Ten Steps to HIPAA Security Compliance. (2005, April 12). Retrieved from: http://www.aafp.org/fpm/2005/0400/p43.html#

American Medical Association. HIPAA Violations and Enforcement. Retrieved from: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page?

Imprivata. Authentification Management. Retrieved from: http://www.imprivata.com/products-solutions/authentication-access-management/authentication-management

 

Contact us at 877-794-3811 or [email protected] for Professional IT Support

get in touch