The rules for HIPAA (Health Insurance Portability and Accountability Act) are very clear. If you collect and use PHI (Protected Health Information) from your patients or from healthcare providers’ patients, you must protect this information. You must follow the HIPAA security policies.
Although the rule itself is straightforward, the methods you should employ to protect PHI are not. HIPAA lays out the rules for protecting the data and the punishments for failing to protect it. However, HIPAA does not tell you how to protect the information.
This gives your organization the opportunity to set up your HIPAA security policies to fit your specific situation. You can use our HIPAA security policy templates to pick up some of the basic steps you should follow to protect PHI under HIPAA regulations. You then can tweak these templates to match your needs and requirements.
Checklist for HIPAA Compliance
One of the best ways to begin setting up your HIPAA security policy is to implement a checklist that gives your team assurances that it is adhering to HIPAA policies. On a regular basis, you should go through the checklist with your security team, ensuring you are meeting each of the items on the checklist.
To create a checklist for HIPAA compliance, you will want to include tasks that fall under administrative, physical, and technology areas.
Administrators will need to set rules and procedures that will be part of your HIPAA security policies. Some of the procedures that should be part of the administrative tasks in your checklist will include:
- Set policies: Administrators should create overall policies that address all potential risks to PHI, that set the level of protection required for PHI, and that address handling any violations of these rules.
- Create reporting procedures: When an employee spots a potential violation to your HIPAA security policies, administrators should create a list of steps the employee can follow. These steps should indicate how to file a report and who should receive the report. The steps also should indicate how administrators will respond to such reports.
- Determine PHI accessibility: Administrators can create rules to determine which employees may access PHI. It is better to assign PHI access to people with certain job titles and responsibilities, rather than assigning PHI access person by person.
- Set up training and testing: Create a schedule for training employees on the rules and regulations for protecting PHI and for maintaining compliance with HIPAA. Then set up a schedule to stress test the organization on scenarios involving the use of PHI.
- Create an emergency plan: If you lose access to your network, you need to have an emergency response plan in place that addresses how you will continue working. This plan should also indicate how you will maintain the security policies for PHI, even when working in emergency situations.
Physical tasks that can be part of your HIPAA security policy checklist include:
- Access to the servers: When storing PHI on your network servers, you will want to have physical locks and access code tracking to keep unauthorized users out of the server room.
- Workstations: Any desktop computer or other stationary device that specifically accesses PHI needs to have physical safeguards installed on it. You may want to block access to any USB ports, for example.
- Mobile devices: Some organizations allow employees to gain access to PHI using mobile devices on the network. If so, you will want policies in place that describe how to delete any PHI off the device after each log-in session.
- Keep a hardware inventory: As part of protecting PHI, you need to have an up-to-date inventory of all hardware items that could access or store PHI, including servers, computers, mobile devices, portable USB drives, backup storage devices, and other hardware.
Some of the tasks on the checklist that can be part of the technology in use with your HIPAA security policy include:
- Unique log-in credentials: Force employees to log in before they can access PHI, so you always know who is accessing this information.
- Control the log-in process: You may want to require two-factor authentication and certain levels of password strength with the log-in process. You also may want to automatically log out users after a certain period of time to protect the data.
- Track activity through logs: You should have software available that can create activity logs to show how employees are using the health information of patients.
- Authenticating file changes: Make use of software to track any data changes that occur in files that contain PHI, so you know whether someone made unapproved edits to this information.
- Encrypt the data: If you will be sending PHI to other organizations or to the patient via email or a patient portal, you need to have encryption policies in place.
- Emergency PHI access: Should employees need to be able to access PHI in an emergency situation, you should have a policy in place for this need.
Performing HIPAA Risk Assessments
Those entities that must follow HIPAA regulations also must conduct periodic risk assessments for how they are protecting PHI. This is part of HIPAA law.
Should you suffer a data breach that involves PHI, you need to be able to prove that you performed regular risk assessments. If you cannot show this evidence, your penalties and fines could be far larger, because prosecutors will consider this a case of willful negligence.
Your risk assessment related to HIPAA should include the following categories of tasks.
Check-in of Patients
When checking in patients, you will be collecting quite a bit of data that falls under PHI. You need to be certain you are collecting this information in a safe manner that doesn’t create potential exposure.
Additionally, you will need to have patients acknowledge receipt of and sign a Notice of Privacy Practices. You also may need to have the patient sign an authorization form, allowing you to share PHI with third parties who need it. You must have someone available to answer any questions the patient may have about how you will be making use of the patient’s PHI.
If a returning patient already has PHI stored at your facility, you must have policies in place that verify the patient’s identity at the time of check-in. This could include asking to see a photo ID.
The same rules apply when sharing information over the telephone. You must have policies in place that verify the identification of the patient first, such as by requesting a date of birth as proof.
Securing Medical Records
If maintaining printed files containing medical records, you need to make sure the record storage occurs in a secure room. Only employees who need to be able to use these records should have the ability to gain access to the room.
For digital medical records, you should have safeguards on these computer files that require staff members to log in to see the records. Include software that tracks activity related to these medical record files too. You then will know who is viewing the records and what they are doing with them.
HIPAA regulations require the destruction of medical records after a certain period of time. You should have policies in place that determine how and when you will destroy old medical records.
Discussions in Common Areas
Another part of risk assessment occurs in determining where and how staff members may discuss a patient’s PHI. Training and reminders can help staff members understand the importance of only discussing PHI in areas that are completely private.
Staff members should not discuss a patient’s health history or diagnosis in areas where others could hear it, such as in hallways, in reception areas, or on telephone calls in these areas.
Along those same lines, when discussing a patient’s health inside an exam room, staff members should close the door for privacy.
Don’t leave printed test results, X-ray scans, or digital test results visible on a desk or computer screen where others could see it.
Training of Your Employees
One of the biggest risks to PHI is your employees and human error. What may seem like a harmless or simple mistake could expose a significant amount of PHI, leaving you vulnerable to major HIPAA regulation violations.
Part of any risk assessment program should include training for your employees on privacy regulations under HIPAA. Training programs should occur regularly. You should document all these training sessions to show compliance with HIPAA regulations.
You also should have information about your HIPAA security policies and the steps employees should follow inside an easily accessible employee handbook. Kee this handbook up to date with any changes in policies as they occur.
Use of Business Associate Agreements
Any organization that must follow HIPAA rules because it handles PHI also must follow certain rules when sharing this data with other partner companies. HIPAA refers to the company that is sharing the PHI as the CE (covered entity) and the partner company that is receiving the data as the BA (business associate).
As a CE, you will need to have the BA sign a BAA (Business Associate Agreement). If you believe you may share PHI with the BA, you will need to have a signed BAA in hand. You cannot share this information until the BAA is in place. The BAA must include certain items, including descriptions of:
- The permissions the BA has for using your PHI
- The safeguards the BA has in place for protecting the PHI
- The procedures the BA will use to report any breaches involving PHI
- The processes by which the BA will destroy the PHI after using it
Your team will need to work with the BA to develop the BAA, ensuring both of you are on the same page regarding protecting PHI. The BAA must be usable for both the CE and the BA to deliver the desired results. Specifics for developing the BAA include the following.
Under HIPAA rules, the BAA must agree to only use the PHI for medical purposes or to carry out functions related to the patient’s healthcare. You will want to use the agreement to describe the exact permitted uses for the PHI that the BA can perform.
The BA cannot use this information for marketing purposes or to develop an email campaign that targets the patient for other medical services and products.
As part of the BAA, the BA must spell out the safeguards it will have in place before it receives your patients’ PHI. Such items may need to include:
- A description of the risk assessment for PHI that the BA performs on an ongoing basis.
- A detailed list of any procedures and policies the BA has in place to protect the PHI.
- Documentation of training procedures the BA introduced to its employees regarding the safe handling and protection of PHI.
The BAA will spell out how and when the BA must report any data breach to the CE. Regardless of whether the breach of PHI occurred through an accidental exposure or through a data hack from the outside, the BAA must follow specific steps in reporting the breach to you.
When the BA finishes using the PHI, it must spell out exactly how it will destroy the PHI. In some cases, you as the CE may prefer that the BA should return the PHI.
Either way, the BAA must precisely spell out how the BA will handle the PHI after using it.
Other Items Related to the BAA
The BAA should include details about how often you and the BA will meet to review the items in the BAA. This ensures both sides are following the BAA precisely and can address any needed changes. A review of the BAA can occur anywhere from monthly to quarterly.
Finally, the BAA should also spell out the steps required to terminate the BAA. Because you as the CE originated the PHI, you as the CE also have the right to terminate the BAA without the approval of the BA. As part of these steps, you should spell out in the BAA the BA’s specific obligations for how it will handle the PHI as part of the termination process.
Checklist for Reporting HIPAA Security Breaches
Should a worst-case scenario occur and should you suffer a breach of PHI, you must have procedures in place as part of your HIPAA security policy to report and track these breaches.
Employees need the ability to be able to file a formal report about a potential breach as well, alerting administrators about the problem. Your security team then can investigate the situation further, determining whether the breach occurred and whether any PHI exposure occurred.
The report that spells out the potential data breach should include:
- Who discovered the breach
- How this person discovered the breach
- The type of information believed to be exposed
- What entities may have inadvertently viewed or received the PHI
- The number of patients involved
Once your security team receives the report about the potential breach, you should immediately begin taking steps to investigate the breach.
If you discover that a data breach actually occurred, you immediately should begin working to mitigate the effect of the breach. Your team should fully document the steps you take during your mitigation procedures.
After the exposure of patient data, HIPAA regulations require that you must notify all required parties. Document these notifications as well. You will need all this documented information during a potential investigation of your HIPAA violation.