Don’t Wait to Get Caught: HIPAA Compliance Checklist
You may think you’ve got HIPPA down. After all, the Health Insurance Portability and Accountability Act has been around since 1996.
But the same Internet Age that brought you so many new and convenient ways of storing and sharing information can lead to a HIPAA nightmare if you’re not careful. And the law’s updated Privacy Rule — effective as of April 2013 after a pilot program the previous year — adds another layer to the regulations that can throw you for a loop.
The consequences can be both embarrassing and severe. In one high-profile case, Affinity Health Plan had to pay a $1.2 million settlement after it returned leased photocopiers without removing the health data of up to 344,579 patients from the copiers’ hard drives. Affinity found out about the breach when CBS bought one of the former Affinity copiers as part of an investigation. The government then investigated and assessed the fine.
The feds aren’t just going after the Big Guys. An Arizona cardiologists group with just five physicians was fined $100,000 after posting patients’ appointments on a publicly-accessible website.
A solo practitioner urologist was cited after his office mistakenly faxed an HIV patient’s medical records to the patient’s new employer instead of his new physician. Since the mistake was unintentional, he wasn’t fined, but his office had to take additional compliance training and change their procedures, and suffer a well-publicized black eye.
Don’t let it happen to you. Follow these simple steps to ensure that your HIPAA compliance plan is as rigorous as it can be:
- Set a schedule for reviewing your HIPAA policies regularly to make sure they’re up to date. As technology changes, the ways in which you need to secure your patient data do, too. And newly-publicized violations may reveal a gap in your own policy that you need to remedy before it’s too late.
- Hold periodic training sessions for all staff, not just new staff. Even if people remember the rules, training reinforces their importance and makes lax behavior less likely.
- Hope for the best, but plan for the worst. Learn the reporting procedures to use if you discover a breach, and develop a plan to mitigate the damage by reaching out immediately to those affected by the violation.
- Consider hiring a compliance consultant. HIPAA’s regulations are complex and range from mandatory rules to suggested best practices. Some relate to the IT world in ways that may be unfamiliar to you. Better safe than sorry.
- Pay attention to HIPAA news. Changes to the law and nuances in its interpretation can happen at any time. Don’t wait for your next review period to examine your policy for ongoing changes that may affect it.
- Use your common sense and be vigilant. Be cautious about discussing patients, remember to always log off computers and websites, and don’t use weak passwords.
Still feel complacent about HIPAA? Read about some of the violations to get your mind right.
To learn more about the ins and outs of the law, check out the government’s HIPPA Privacy and Security Toolkit.