You’re working hard to build a successful practice where patients feel safe, cared for, and respected. Part of earning that trust is making sure their private health information stays private.
Of course, there’s more than patient trust on the line — not protecting patient data can put you on the wrong side of state and federal law.
In modern health care, technology plays a vital role in safeguarding patient privacy. With the right tools and rules, you can protect your patients and comply with HIPAA, the federal law regulating healthcare information.
HIPAA compliance means establishing administrative, physical, and technical safeguards to meet the law’s requirements. A checklist like the one below helps you ensure nothing falls through the cracks.
What Your Practice Needs to Know About HIPAA: The Basics
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires health care providers to safeguard protected health information (PHI).
PHI is information about health, healthcare, or medical payments that can be connected to a specific person.
For example, while “a mole” is de-identified health information, “Cindy Crawford’s mole” is PHI — it includes identifying information (a name) that connects the health information to a specific person.
HIPAA is made up of five rules: the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Omnibus Rule.
The Enforcement Rule outlines the penalties for violations, and the Omnibus Rule applies to businesses working with healthcare providers.
As a provider, your practice needs to concern itself with the first three rules: privacy, security, and breach notification.
- The HIPAA Privacy Rule lays out the acceptable use and disclosure of PHI. It defines what information is private, how it can be de-identified, when disclosure is permitted or required, and when disclosure is allowed with the patient’s permission.
- The HIPAA Security Rule regulates access to PHI. It sets forth the specific standards administrative, physical, and technical safeguards must meet to comply with the law.
- The HIPAA Breach Notification Rule outlines the actions your practice is required to take in the event of a data breach. It states who you must notify, how, and in what time frame. It also defines “breach” so you know whether a security lapse requires notification at all.
Who Is Required to Follow HIPAA?
HIPAA compliance isn’t limited to healthcare providers. Any business or entity that has access to PHI is required to follow HIPAA regulations.
In addition to insurers and healthcare clearinghouses, this includes vendors who serve your practice, such as billing services, claims processors, and software providers.
Sharing PHI outside your practice requires a Business Associate Agreement (BAA). Before contracting with any vendor who could access your patients’ PHI, review their HIPAA compliance practices to be sure you are putting your patient data in good hands.
What Happens If You Don’t Comply With HIPAA?
Failure to comply with HIPAA can have serious consequences.
First, there are the tangible impacts. A practice that violates HIPAA is subject to fines of up to $2 million. The individuals responsible for the violation could face criminal charges.
Second, there is the reputational impact. Even if a practice emerges from a HIPAA scandal with its business and licensing intact, it will have a hard time rebuilding the lost trust with patients whose data was exposed.
States May Impose Additional Privacy Regulations
Since HIPAA is a federal law, it applies equally across states. Some states, however, decided the law doesn’t go far enough and passed their own legislation on top of it.
For example, Texas has stricter data privacy training requirements than HIPAA, while New York demands broader notification in the event of a breach.
Once your practice has met all HIPAA requirements, be sure to check with your state medical board for any additional regulations.
HIPAA Compliance Mistakes to Avoid
It’s impossible to plan for everything, but there are some common mistakes that put your practice at risk of violating HIPAA.
Accidental Breaches
When most people think about “data breaches,” they imagine hackers breaking through cybersecurity.
While it is important to guard against that criminal activity, the truth is, most data breaches can be traced to innocent mistakes made by a provider’s own team.
Mistakes like …
- Leaving workstations unlocked
- Having PHI on unsecured devices like personal laptops and cellphones
- Accidentally sending PHI to the wrong person
- Talking about PHI in a public location
- Mentioning PHI when posting a story on social media
… can lead to unauthorized people getting access to private patient data.
Make sure your staff receives training on data privacy and understands why it’s so important they take it seriously.
Artificial Intelligence
Uses for AI in healthcare include valuable support for diagnoses and clinical decision-making. But unless users are careful about what they feed into it, the new technology can quickly run afoul of HIPAA guidelines.
When you feed data such as diagnostic images into an AI tool, the tool doesn’t just answer your question and forget the input. The image is incorporated into its learning set — and unless it’s been de-identified, so does the associated PHI.
HIPAA offers guidelines for de-identifying patient data, including 18 identifiers that should be stripped to create a “safe harbor.”
Before entering patient data into an AI tool, be sure it is de-identified or that the patient has given informed consent to the data release.
Third-Party Data Flows
The vendors and subcontractors working with your practice are covered by HIPAA as business associates. To fully protect your patient data, however, you need to know if those associates are pushing data out to third parties.
For example, a software vendor that stores your data in a third-party cloud hosting service might make it vulnerable to unauthorized access.
Cloud-based services are generally more secure than keeping records on site. When vetting companies who will not only access but manage your data, ask whether they have their own proprietary, HIPAA-compliant cloud server.
How to Keep Your Specialty Practice HIPAA Compliant
HIPAA requires your practice to implement physical, administrative, and technical safeguards to protect data.
Another way to think about this is in terms of the people, processes, and technology that will keep patient data safe.
Protecting PHI With People on Your Staff
Your people can be your first line of defense or your weakest link. Train and educate your team so every person understands what is required and why.
At a minimum, HIPAA requires all employees, volunteers, and anyone else who performs work for your practice to be trained on your HIPAA-compliant policies and procedures.
Talk about HIPAA often in team meetings. Post notes around the office offering visible reminders to take actions like locking down workstations when they’re not in use.
The Privacy Rule requires you to designate a privacy officer on your team. That person is responsible for:
- Developing, documenting, and enforcing policies and procedures
- Scheduling and managing workforce training
- Conducting security audits
- Investigating possible breaches
- Reporting confirmed breaches
- Creating and implementing a disaster recovery plan
Protecting PHI With Processes
Your processes put your HIPAA compliance plan into action. Start with a risk assessment that evaluates the security of your existing policies and procedures. Reassess risks on a regular basis and any time new business associates or technology is introduced.
Develop policies that spell out where and how PHI is stored, how it’s used, who has access, and how that access is granted. You will also need a process for notifying patients about their rights to their own records.
HIPAA’s “minimum necessary” standard says each person on your staff should have access only to the information required to do their job. They should not be able to access that information outside of their job.
You also need to plan for the worst: a breach. In the event there is a HIPAA violation, have a documented plan for how you’ll respond, from notifying patients to disciplining the violator.
Protecting PHI With Technology
Technology is a critical component in HIPAA compliance. It applies to everything from video surveillance to data encryption.
Outline the physical and technical safeguards you will use to protect PHI. Consider tools like:
- Video surveillance
- Doors that require a passcode or badge swipe to unlock
- Restricted data access
- Two-factor authentication
- Automated data logs that record who accessed records
HIPAA Compliance Checklist
People
| Do we have a policy that outlines the recording, maintenance, and monitoring of PHI? |
|
| Do we have a Privacy Notice that informs patients of how PHI is stored and their right to obtain it? | |
| Do we have a process to investigate claims of noncompliance? | |
| What will we do if a breach occurs? | |
| What process will we follow to routinely audit our processes and assess new risks? How often will we conduct those audits? |
|
| What is our process for determining who can access PHI, and under what circumstances? | |
| What is our records retention policy, and how will we securely dispose of old PHI? | |
| What will we do in the event of an emergency that damages the locations housing PHI? | |
| Have we done drills to test our emergency plans? |
Technology
| Is PHI physically secure from unauthorized access? | |
| Are we monitoring who has access to facilities and workstations that can access PHI? |
|
| Do we have a visitor log and escort policy for outside visitors who enter areas where PHI is accessed or stored? | |
| Is PHI digitally secure, through measures like firewalls? | |
| Do we have clear policies on device management? | |
| Is PHI restricted to authorized employees using security measures like multi-factor identification? |
|
| Are employees only able to access the level of PHI required to do their jobs? | |
| Is PHI encrypted, both in transit and at rest? |
|
| Are we able to monitor activity in systems that store or use PHI? | |
| Is PHI securely backed up off-site? | |
| Are we using up-to-date security software? | |
| Do we transmit PHI only over secure channels? |
Tools That Keep Your Practice Compliant
HIPAA compliance isn’t a one-time project; it’s an ongoing commitment to security. Your EHR plays a critical role in storing and managing your patient data in a safe, secure way.
Explore how Nextech’s specialty-specific technology platforms for dermatology, med spa, ophthalmology, plastic surgery, and orthopedics help practices deliver outstanding patient care, build a successful business, and comply with government regulations in one sleek package.
About the Author
Courtney Tesvich is a registered nurse with more than 20 years in the healthcare field, 15 of which have been focused on quality improvements and regulatory compliance. She also holds an MBA and a master’s in jurisprudence in Health Law and Corporate Compliance. As VP of Regulatory and Compliance at Nextech, Courtney is responsible for ensuring that Nextech’s products meet government certification requirements and client needs related to the regulatory environment, as well as monitoring overall corporate compliance.