As a healthcare provider, you’re legally obligated to comply with the Health Insurance Portability and Liability Act (HIPAA), a federal law that sets standards to secure patients’ Private Health Information (PHI).
In modern society, maintaining HIPAA compliance has become increasingly more difficult — and technologically driven — than ever before. A few decades past, all patients records for clinics and hospitals were physical documents stored in one place. Now, electronic records and electronic data storage are supplementing (and in many aspects overtaking) paper documents. And while the electronic shift has made storing, accessing, and transmitting patient information faster, easier, and more efficient, it’s also opened new avenues for breaches and hacking.
If your HIPAA safety measures have been running on autopilot for a while, now is a great time to review your policies and procedures to ensure you’re providing the highest level of protection to your patients’ personal, private data. Keep reading to learn more about who needs to be HIPAA compliant, and the physical, technical, and administrative safeguards your facility should have in place.
Who Needs to Be HIPAA-Compliant?
Under HIPAA, two types of facilities must maintain HIPAA compliance.
- Covered entities. A covered entity is an organization that creates, maintains, or transmits PHI. Covered entities include health care providers, health care clearinghouses, and health plan providers.
- Business associates. Business associates are people or businesses that provide a service to covered entities and have access to view, manage, or transmit PHI. Business associates include lawyers, accountants, billing companies, IT contractors, EHR platforms, cloud storage platforms, email hosting, and encryption platforms, and others.
Physical Safeguards
Physical safeguards are concerned with protecting PHI wherever it’s accessible — whether that’s a workstation, mobile phone, or computer.
- Access control. Hard drives and physical records containing PHI should be stored in a secure place and safeguarded with an access control system. An electronic access control system that requires a PIN, keycard swipe, or biometric scan to enter an area can help you keep track of who’s entering and exiting the record room. Additionally, access control helps prevent tampering and theft.
- Workstation protections. Your facility needs to devise policies to ensure PHI is handled safely in employee workstations. For example, electronic record programs shouldn’t be open or visible when employees aren’t using them, and paper records shouldn’t be left unattended at workstations.
- Mobile device protection. Today, it’s not uncommon for employees to have access to patient records and other sensitive information on their mobile phones. If your employees use their phones to view PHI, make sure your facility has a policy for removing said PHI from mobile devices if an employee leaves the organization.
- Hardware inventory. Your facility should have a thorough inventory of all hardware that either has PHI (like hard drives) or can access it (like desktop computers and laptops). Your inventory control system should include a record of movement for all devices. Keeping inventory and tracking company hardware has become more critical than ever with more people working from home and managing sensitive information on company-issued or personal laptops.
- Record disposal. Make sure any records containing PHI — both physical and electronic records — are disposed of properly when the time comes. For electronic records, that means wiping hard drives, computers, and mobile phones before disposal. For physical records, that means shredding documents using a shredder with a high-security level (level 4 or higher).
Technical Safeguards
With more patient data and records moving into digital storage, your facility needs technical safeguards to protect PHI on hard drives, computers, and the cloud.
- Password protection. All authorized employees should have strong, unique credentials (like a username and password or PIN) to access platforms with PHI. If your program allows two-factor authentication, enable that feature for the second layer of protection.
- Encryption. All devices containing PHI — like laptops, desktop computers, mobile phones, and flash drives — should be equipped with proper encryption protocols to safeguard private information. If a company laptop or flash drive is stolen, encryption can prevent a thief from accessing private health data. Additionally, emails should have proper encryption/decryption protocols as well to transmit messages with PHI securely.
- Electronic backups. Make and store electronic backups of paper records in a secure, cloud-based location. Having a second copy of records ensures that you won’t lose patients’ private information in the event of a physical emergency, like a fire in the office.
- Time-out settings. Enable automatic log-outs on employee devices after a specific period of time. This ensures that PHI won’t fall into the wrong hands if an employee leaves a laptop or mobile phone unattended.
- Network security. Make sure your office network is protected with a unique username and password, encryption, and firewalls to prevent a hacker from accessing your connected devices.
- Activity logs. Your facility should implement activity logs to track who is accessing PHI and what they’re doing with the information. Additionally, all activity logs should keep a record of any attempts to change or delete patients’ personal data.
Administrative and Training Safeguards
Your facility needs robust policies and procedures centered on keeping PHI safe and protected.
- Risk assessments. Your facility should compile a thorough risk assessment to determine all the areas where private health information is at risk of being exposed, stolen, or deleted. A comprehensive analysis of your facility’s protocols can help you identify areas of weakness where stronger protections need to be placed. Risk assessments should be conducted routinely to make sure your ongoing security measures are still adequate to protect patients’ private information.
- Emergency planning. A power surge that wipes out your hard drive. A fire that destroys your physical copies of PHI. Emergencies can happen at any time, and your facility needs to be prepared to handle anything that arises. Emergency planning includes creating protocols for maintaining operations, protecting patient data, and accessing critical patient records during emergency mode.
- Data breach response planning. If a data breach occurs, your facility must be prepared to react quickly and decisively. You need to have protocols in place for reporting the breach, notifying the appropriate patients, and re-securing sensitive data. Make sure you designate an individual responsible for implementing each part of the response plan when the time comes. And review your response plans regularly to make updates and changes.
- Staff training. Conduct and document regular training to ensure that all staff members are up-to-date on best practices for maintaining HIPAA compliance and preventing data breaches.
Third-Party Safeguards
Third-party safeguards ensure that patients’ private data remains safe and secure when it travels beyond your facility and into the hands of your business partners.
- Business Associate Agreements. Any business partners who need access to your facility’s PHI must sign a Business Associate Agreement acknowledging that they’ll follow all HIPAA regulations to protect private patient information.
- Documentation. All transfers of PHI between you and your business partners should be properly documented.
Learn More About NewGen Marketing
The NewGen Marketing team has years of experience driving sales and business growth for industry-leading health care brands. We recognize the value of integrating multi-channel marketing campaigns with a proven acquisition and nurturing process that turns leads into patient conversions and treatments.
We provide broad-spectrum medical marketing services, including strategy and investment, analytics, paid media, social media, remarketing, content marketing, and acquisition and call centers. When you’re ready to hire a marketing agency that can drive more to your bottom line, contact NewGen Marketing for a free consultation.