HIPAA compliance in words we all understand



While the Internet gushes with information on why you need to be HIPAA Compliant, our experience has taught us that rarely do you encounter a comprehensible break down of what the term \”HIPAA Compliance\” even entails. Undoubtedly, a few people exist who navigate the boring professional jargon with ease but most of us (including doctors) would appreciate a simpler analysis. As family physician Dan Brewer, MD, once wrote on an email discussion list, \”I believe I would rather eat live cockroaches than learn about HIPAA security\”. It doesn\’t need to feel that painful.

So here are the basics of what you need to know:

Who you are protecting

People\’s personal business that criminals want to steal, also known as protected health information (PHI). Basically, your job consists of guarding any form of health info whether it\’s social security numbers or current medications. Anything involving payment for the health care needs protection too.

The Privacy Rule exists

While a novel exists detailing the specifics you probably will never want to know, the Privacy Rule provides the following rights:

1. Access–Patients can see their medical records.
2. Amendment–If necessary, patients can correct their PHI.
3. Authorization--You are required to divulge who you\’re sharing information with if requested.
4. Accounting of Disclosures–You also have to divulge who looks at the information if the patient requests.

Lastly, always maintain your integrity; patients can file complaints against you if you slip up.

The Security Rule also exists

If the Privacy Rule is Cat in the Hat, then the Security Rule is Crime and Punishment. You\’ll want professional guidance to help you follow this hefty legal baby properly. Basically, the Security Rule makes the protections in the Privacy Rule actually happen. Now we\’ll introduce you to the three safeguards detailed in the rule:

1. Administrative Safeguards--This section delineates how to run your business under HIPAA guidelines. Get your business some security personnel, minimize who sees the PHI, and give your employees the safety low down.
2. Physical Safeguards–This one deals with the actual handling of the information and who sees it. Limit access to electronic media containing PHI through an effective workstation design and you\’ll pass this part of the test.
3. Technical Safeguards–Everything you need to know about protecting the integrity of electronic PHI through technology exists in this part of the rule. You need to implement access controls such as passwords to limit who sees the info. Audit controls involve hardware, software, and other tools to track activity so you always know who handles the records. As if that\’s not enough protection already, throw some integrity controls into the mix to ensure e-PHI is not improperly altered or destroyed and you\’ve got a fierce wall of safety going on.

Who covered entities are

If you classify yourself under any of the following categories, you are a covered entity who will need to follow all the HIPAA laws: health care providers, health plan companies such as HMOs, or health care clearinghouses.

If you are a covered entity, you\’ll have to enlist your business associates in the cause of PHI protection. If you\’re wondering what constitutes a business associate, they are anyone who helps carry out health care activities involving your patient\’s information. A lot of business associates deal with claims processing, data analysis, utilization review, and billing which means they see a lot of PHI in a day. Developing a security plan with business associates lets everyone be legal and happy.

Ignoring HIPAA will make people angry

These HIPAA people mean business. Failing to follow guidelines leads to some serious fines starting at $100 per failure to comply with up to five years imprisonment for HIPAA laziness. And if they detect criminal intent, you\’re looking at fines around the ballpark of $250,000 with ten years imprisonment. And of course abuse of PHI may lead to law suits from patients as well. Moral of the story? Do what HIPAA says.

What you need to do

Document everything. Once you accomplish that task, move on to items such as:

1. Establish an emergency plan for security breaches, human errors, natural disasters, etc; this typically involves backing up your data.
2. Employ firewalls and anti-virus software to protect your routers and individual computers. Update frequently to combat the rapidly changing viruses.
3. Post written rules and guidelines in your practice. Most security issues happen when employees blunder or use bad judgment. Ignite a respect for other folks\’ info in your employees and your business will stay safe.
4. Install computer security programs to prevent and detect issues from occurring. Better safe than sorry, as they say.
5. Whatever else you deem \”reasonable and appropriate\” in keeping your patients\’ information safe.
6. Don\’t hesitate to bring in a HIPAA compliance expert to help you set all this up. It may cost you some money, but it will be worth it to know you\’re protecting yourself.

A gap analysis will help this all make more sense

A gap analysis means you take a look at all the capabilities and weaknesses of your security systems and compare it to HIPAA protocol. Then you fill in the gaps with whatever else needs to be done. If you make a flow diagram of all the factors that contribute in storing and transmitting PHI, you\’ll not only satisfy a HIPAA requirement but it will allow you to thoroughly assess your security levels. While you will have the assistance of the required security manager to help you, don\’t slack off! You need to know what your systems look like.

Hopefully this gives you some clarity on how to implement HIPAA compliance into your practice. While professional help has become almost necessary in creating medical security systems, if you learn about the fundamentals you can ensure your patients stay safe.