Industry research shows that most physicians and healthcare practice managers are unaware of the liabilities created by HIPAA regulations. This is especially of concern given that in 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed over $19M in fines on HIPAA-covered entities and business associates. Is your healthcare organization truly HIPAA compliant? In this blog, we offer several tips to help you find out:
1. Eliminate PHI Disposal Risks
Discarding PHI without first destroying it is one of the violations specifically referenced in HIPAA as qualifying for the highest level of non-compliance fines, which range from $50,000 to $1,500,000. A media and hard drive shredding service ensures expired electronic PHI is destroyed promptly and securely. A Certificate of Destruction issued at the end of each media destruction project documents your practice’s compliance with HIPAA disposal requirements.
2. Enforce a Clean Desk Policy
HIPAA always requires PHI to be kept confidential. Never leave unattended medical files and records on desktops or computer screens where they can be seen by prying eyes. A clean desk policy helps you set a standard for securing PHI when it’s not in use. Distribute it to everyone in your practice and make sure they follow it.
3. Train Your Staff
HIPAA requires that an organization document and conduct information protection training, including proper information destruction. HHS has said fines will be reduced for medical facilities that train, while those that are negligent in their responsibility by not training their employees face harsh fines and penalties.
A Medical Practice/Facility Information Destruction Training Program (MPIDT) can reduce your organization’s risk and increase employee compliance with HIPAA requirements. It provides you with Information Destruction Instruction Manuals and a Policy Statement customized to your organization and professional HIPAA-compliance training for your employees.
4. Choose HIPAA-Compliant Business Associates
Although the HIPAA Privacy Rule only applies to covered entities, it’s important that vendors and business partners who handle, process or destroy PHI on your behalf are HIPAA compliant. HIPPA classifies these vendors as Business Associates (BA). Create a clear BA agreement that includes an outline of responsibilities, non-disclosure standards, and PHI safeguards.
If you have more questions about HIPAA or other state and federal privacy laws, please contact us by phone or complete the form on this page.