(shared from Medcurity)
Did you know that the HHS Office for Civil Rights (OCR) can fine an organization up to $1.5 million for breaking a HIPAA regulation? A fine from the OCR isn’t even the only cost associated with a HIPAA breach. Here are 5 key steps you can take to prevent common HIPAA violations and avoid penalties.
1. Properly store your Protected Health Information
It’s very important to guard all your documents containing Protected Health Information (PHI), whether it be physical or digital.
You should keep electronic protected health information (ePHI) password protected and encrypted. Encryption isn’t specifically required , but under the security rule organizations are obligated to “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.” Industry best practices dictate that ePHI should be encrypted when possible. Encrypting your files can save you from a HIPAA breach in case of theft or a hack.
Ensure that all PHI is only being accessed by personnel when necessary for treatment or payment. If you have PHI in a hard copy document, it needs to be securely locked away in a cabinet, desk, or office. Don’t risk getting fined for simply throwing away a document instead of following proper HIPAA compliant shredding procedures.
Ensure that necessary data is backed up, and test backups regularly. Remember, under HIPAA you are required to maintain Designated Record Sets (which include medical records and billing information) for 6 years. State regulations sometimes require that covered entities retain medical records for a longer period.
2. Stay on top of your BAAs
HIPAA Business Associate Agreements are required under HIPAA anytime a covered entity grants an outside party access to PHI in the course of their work. The BAA will specify how your vendor will use PHI and what steps they will take to comply with the HIPAA Security and Privacy Rules.
A BAA helps ensure that the OCR won’t hold you responsible should your business associate have a data breach that involves your PHI. Review your BAAs annually or biannually to ensure the agreement remains appropriate.
3. Conduct a comprehensive HIPAA SRA each year
The HIPAA Security Rule requires that both covered entities and business associates regularly conduct a Security Risk Analysis (SRA). The SRA assesses the physical, administrative, and technical safeguards you have in place to protect your ePHI. It’s an important opportunity to uncover any vulnerabilities in information security plan and make any necessary remediations. It also allows you to document all of the good compliance work you’re already doing.
The OCR had repeatedly emphasized the importance of the SRA. If you experience a breach and do not have a current and comprehensive security risk analysis, the OCR is likely to view this as negligence. You are more likely to incur a high penalty as a result.
If you need assistance with your SRA, Medcurity is here to help. Use our intuitive HIPAA platform, or have our HIPAA compliance experts come to you.
4. Create a strong policy program
Strong HIPAA Privacy and Security Policies and Procedures are fundamental to HIPAA compliance. You need thoughtful policies to outline how your organization will handle everything from disciplinary action to social media.
These policies act not only as guidance but also documentation, which is important. It’s critical to be able to demonstrate compliance in the case of an OCR audit.
5. Train your employees
Most HIPAA violations begin with human error. Educating your personnel to understand their role in HIPAA compliance is key.
HIPAA employee training should take place during initial on-boarding and then recur annually. Employees should attest that they have reviewed your organization’s policies and procedures. Healthcare continues to be a top target for cybercrime, and 90% of data breaches begin with human error, so make sure your HIPAA training includes cybersecurity education as well.
Proactively complying with these requirements are important steps to protect your patient’s sensitive information. It also protects your organization from HIPAA fines and other financial consequences that can follow noncompliance. Even if your organization does experience a breach, the OCR will consider if you have taken appropriate privacy and security measures.
If you have more questions about HIPAA or information security, check out this resources page.