The Health Insurance Portability and Accountability Act was developed in 1996 not only to make it simpler for people to maintain health insurance, but also to enhance the confidentiality and security of health care information. While it has been around for nearly two decades, full implementation of HIPAA is still very much under way, and providers have continued to make changes, from implementing new defenses to upgrading practice management software, in order to comply.
This is particularly true when it comes to privacy and security regulations, which have been major areas of focus as of late. Consider these must-know aspects of HIPAA's privacy and security rules that will most greatly affect practices' clinical and administrative processes:
"A goal of HIPAA is increasing defense of patient-identifiable information."
Access control procedures
One of the major goals of HIPAA is the increased defense of patient-identifiable information, which it has dubbed "protected health information" (PHI). Practices must implement specific procedures and policies that determine who can access sensitive data as well as certain software programs and equipment. These administrative measures include keeping patient files out of sight, using automated notifications for providers to close certain accounts and conducting frequent account audits.
Physical security enhancement
Policies related to physical precautions preventing PHI from getting into the wrong hands are a part of HIPAA's security and privacy rules. This covers policies that indicate who is allowed to access certain parts of the health care facility, particularly the server rooms, executive offices and other priority areas. As such, practices may have to increase security, implementing personnel badges, access logs and key codes to protect PHI.
Better tracking of faxes
There's no doubt that fax machines are on their way out as meaningful use progresses and electronic documents become increasingly prominent in the health care environment. However, the disappearance of the fax machine is moving along slowly, and many providers continue to use it to send prescriptions to pharmacies and share handwritten notes with other physicians. For that reason, all faxes must be carefully tracked and the identity of the recipient must be verified to meet HIPAA regulations.
HIPAA requires all health care personnel to undergo training in security and privacy measures.
Mandatory security training
HIPAA requires extensive training and awareness programs for all health care personnel, including new hire courses and annual refreshers. The U.S. Department of Health & Human Services offers six instructional programs on HIPAA privacy and security compliance, and these count toward physicians' and other health care professionals' continuing education credits necessary for maintaining licensure or certification. Practices should also send out security reminders regularly as well as updates about concerns within the organization and potential threats.
"HIPAA gives patients the right to see their health records."
In the case that PHI is lost, misplaced or hacked, practices must have plans in place in case of an emergency. For example, there must be a backup power source for when the power goes out as well as data backup and recovery solutions in case a server goes down. Such procedures must be regularly tested and outlined for review by the Office of Civil Rights to ensure HIPAA compliance.
Better patient access
HIPAA gives patients the right to see their own health care information. They can do so by requesting electronic copies of their health records, which doctors must provide within 30 days. This can be time-consuming and particularly rough on small practices with fewer resources. Fortunately, technological advancements have provided a solution: Nextech's NextWeb is a HIPAA-compliant portal that allows patients to request information electronically, and follow-up is automatically set.