Ignorance is not an acceptable excuse for a Health Insurance Portability and Accountability Act (HIPAA) violation.
Just like you are still liable if your taillight is busted, whether you knew about it or not, the security of your patient's health records is your responsibility. Ensuring you've met all the requirements on your HIPAA compliance checklist keeps you and your business in the green.
With the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAA covered entities were incentivized to adopt technological solutions that would increase the security of patient data and reduce the risk of unauthorized access.
Naturally, there are some challenges when it comes to adopting new technology – not least in terms of capital investment – which is why cloud services providers make valuable partners for businesses in the healthcare industry.
Since compliance is an ongoing activity, it helps to have a checklist that your HIPAA security or compliance officer can use to review your electronic communications compliance level.
We provide a free HIPAA compliance checklist, which you can download here.
In this article, we go through the various items you’ll find on that checklist and explain their relationship to HIPAA requirements.
When Choosing an IT Service Provider, What Compliance Issues Should Concern You?
When dealing with an IT service provider, the first thing to ensure compliance is to initiate a Business Associate Agreement (BAA).
A BAA binds the provider to the same HIPAA requirements that bind you. This means that their internal policies and procedures are designed to protect all patient information in their custody.
You can read more on the Department of Health and Human Services (HHS) requirements for cloud service providers (CSPs) here.
Although the entirety of HIPAA applies to your service provider, we will concentrate on the preventive measures that can be put in place to ensure compliance.
There are two main areas that we will examine – the HIPAA Security Rule and the HIPAA Privacy Rule.
The Security Rule was established to protect electronic Private Health Information (ePHI) created, received, used, or maintained by a HIPAA-covered entity. It comprises three parts: technical safeguards, physical safeguards and administrative safeguards.
For this article, we will focus on technical and administrative safeguards.
- Implement a means of Access control: This includes the use of passwords and procedures to govern the release or disclosure of ePHI.
- Introduce measures to authenticate ePHI: Ensuring the integrity of patient records is mandatory. Your service provider needs to ensure that no unauthorized alterations have been made to the documents in transit or storage.
- Implement tools for encryption and decryption: People get their hands on private information by accessing unencrypted messages on a device. As long as your information is encrypted, the loss of a gadget won't qualify as a HIPAA violation because the third party cannot access the relevant information without a decryption key.
One of the most common violations lies in the lack of risk assessments. Just like conducting fire drills and safety checks in the absence of a fire, you are required to analyze your business environment for potential risks continuously. The lack of an incident will not save you from penalization.
Under the risk assessments, you need to identify every area in which ePHI is being used and highlight any possible areas that could lead to a breach. That's why it is advisable to have a checklist.
The HHS’s Office of Civil Rights (OCR) has recently devoted resources to responding to complaints about access to personal health records.
This part of HIPAA ensures that patients can access their health records within 30 days of making a request. It also provides that unauthorized persons don't view the communication of PHI.
How Does a HIPAA Checklist Help You Address These Requirements?
The key to safeguarding information is encryption. Even though HIPAA does not make encryption mandatory, the covered entity must show that they have put inadequate measures to ensure information security. In reality, encryption is the only practical way to ensure the necessary security, making it the preferred security measure.
Requirements of the Healthcare Organization
The first part of the checklist looks at the use of encrypted technology:
- Are your email servers encrypted?
- Do you use encrypted file-sharing technology when sending large files outside the organization's network?
- Are employee emails sent outside the organization's network encrypted?
For emails between employees:
- Are they emailing from the organization's server, or are they using remote access, e.g., Outlook Web Access?
In the case of remote access, the emails need to be encrypted, so your staff need to have the right software to do that.
Requirements When Dealing with Patients
This is where the Privacy Rule comes into play. Healthcare providers need to find a safe way to relay sensitive information to patients.
When communicating with the patient:
- Do you have a procedure to alert the patient on the risk of sharing their PHI via unsecured sources?
- Do you have their explicit permission to use an unencrypted email if that is their preference?
- Do you have an alternative encrypted method of providing information to the patient?
Once you incorporate the regulations into your policies and procedures, HIPAA compliance becomes a part of your operation. Tools like our compliance checklist help you conduct thorough risk assessments and identify possible gaps that require remedying.
For more information on HIPAA compliance and our HIPAA compliance data backup, recovery and encrypted file sharing solutions, talk to us here at Central Data Storage. Call 1-888-907-1227, or email email@example.com.
In the meantime, download your free HIPAA Compliance Checklist today.