• search
HIPAA COMPLIANCE EXPERTS
Call Today: (800) 733-6379

HIPAA Compliance Blog

HIPAA COMPLIANCE EXPERTS rss

Keeping Medical Records Private 101: How to Follow HIPAA

Keeping Medical Records Private 101: How to Follow HIPAA

by Yenny (SU)

HIPAA (the Health Insurance Portability and Accountability Act) became law in 1996 and revolutionized requirements and practices ensuring patient rights, privacy, and security. Instead of laws that were unclear or insufficient in some cases, HIPAA became federally mandated and regulated. However, the healthcare businesses that must comply have to navigate complex rules and make sure regulations are being followed. 

Who needs to follow HIPAA?

The first question is, do you need to comply with HIPAA? A “Covered Entity” under HIPAA includes any person or company that provides medical, dental, or other healthcare services that transmits the protected health information (PHI) of patients electronically. That could mean sending prescriptions to pharmacies, bills to insurance companies, or emails to patients. It also includes any vendors that create, transmit, receive, or store PHI for a Covered Entity.  These vendors are known as “Business Associates” and include services like EMR/EHR, information technology support, data analytics, health app developers, and in some cases, web site hosting companies. Those organizations that interact or send PHI in electronic form must comply with HIPAA.

What steps do I need to take?

If you or your company is a covered entity or a business associate under HIPAA, it is your responsibility to keep protected health information secure following the HIPAA Security Standards and Implementation Specifications.  These include:

·       Developing written privacy policies – or even before this step, become familiar with the laws so that comprehensive privacy and security policies can be developed.

·       Designating a privacy and security officer – no matter how small the organization, these officers must be appointed and are responsible for HIPAA compliance.

·       Annual risk assessments – conduct a risk assessment each year and record findings. Assessments must be documented, accurate, and comprehensive in identifying vulnerabilities and threats to PHI.

·       Developing information assurance policies regarding electronic transmission of communications. This includes email and the use of mobile devices with access to PHI.

·       If you are a covered healthcare provider, distribute a notice of privacy practices to all new patients.

·       Using Business Associate Agreements with any outside company that will have access to PHI.

·       Developing and implementing steps to take in case of a data breach, including how to determine the timing and extent.

Demonstrating HIPAA compliance

Your organization must be able to provide proof that you and your employees are following the rules outlined by HIPAA. If there is a breach of security and PHI is improperly handled or disclosed, the investigation may determine that a penalty could be assessed or the need to enter into a settlement agreement which will include a required corrective action plan. It is important to understand the burden to demonstrate compliance will the responsibility of the organization to prove. 

You will have to show that your organization has conducted a HIPAA risk assessment, provided annual training for the whole workforce, and have a policy and procedures for protecting PHI in writing.

We can help

Even large organizations struggle to find in-house resources who are educated and have the bandwidth to tackle HIPAA compliance. With leadership experienced in government regulatory requirements, Colington Consultants helps businesses and practitioners achieve HIPAA compliance. Call (800) 733-6379 today to schedule a free, initial consultation.

 



Comments are closed.