How Does HIPAA Impact Your Practice?
No medical office, and even other types of offices, can escape HIPAA. HIPAA, or The Health Insurance Portability and Accountability Act of 1996, protects the information of patients in all 50 states. This applies not just to medical and dental practices, but also to insurance companies, healthcare clearinghouses, and other people one works with. HIPAA also has very specific ways in which one can treat confidential information, and when one can share it. In fact, in some circumstances, one may be obliged to share the information, particularly with law enforcement. It is not only important that your workplace be HIPAA compliant and up-to-date with the latest technology to keep patient information safe, it is required.
What Is HIPAA?
Before we delve too far into this topic, let's give a brief summary of what HIPAA actually is. As stated above, HIPAA stands for The Health Insurance Portability and Accountability Act of 1996, and it requires medical information to be protected at all times, except in certain circumstances. This means that patient information cannot be obtained via third parties or given to individuals not authorized to see such information. HIPAA breaches can occur in all manner of ways, and with technology rapidly changing, it is important your practice is up-to-date with protecting your electronic information. HIPAA breaches can also occur the old-fashioned way: by individuals telling others information they are not qualified to receive, or by files being left out or stolen. There are times when exposing health information is not a violation of HIPAA, but rather required. We'll discuss that in the next section.
When to Release Protected Health Information (PHI)
While it may seem counter-intuitive, HIPAA sometimes requires you to disclose PHI or Protected Health Information. As such, it is important that your practice is abreast as to when this is appropriate so that they don't give away information mistakenly, or withhold information they shouldn't be. Because of this, it is imperative that your employees are well-versed in HIPAA compliance and not simply taking a stab in the dark when it comes to when information must be shared. Often, it is reasonable to expect a hospital or practice to exchange information in a few scenarios. These include:
- Research on particular diseases
- Public health investigations, particularly for communicable diseases
- Workplace safety and workers' compensation
- Public health interventions, such as contaminated food
- A victim of abuse or neglect
- Law enforcement requires it
- Identifying a deceased person
- Organ donation
- Law proceedings
- Necessary government activities
Becoming HIPAA Compliant is Not an End Goal
With rapidly changing technology, HIPAA compliance is also changing at a fast pace. Offices and hospitals need to keep up with how to store patient information without allowing breaches, and this may change as computer software changes and technology improves. It is sometimes said that offices don't strive to become HIPAA compliant as an end-goal, instead, it is something they are always working toward. Don't think of HIPAA compliance as something you're one-and-done with once you have an external audit, or have your employees take a class. Instead, think of it as a goal you're always chasing. If you treat HIPAA compliance as an end-goal, you'll quickly find yourself in breach of the law. The Department of Health and Human Services, or HHS, takes these violations seriously. Depending on how much information was leaked, and the seriousness of it, you can face huge fines, or even worse, jail time. HHS doesn't let its offenders off with a slap on the wrist, therefore, it is important that you're always in compliance and on top of any changes. Your office should not neglect changes as they occur, and should always be on top of new rules and regulations.
HIPAA Laws and Electronics
When the HIPAA law was first introduced, we didn't rely as much on storing patient information via computer systems. Nowadays, computers and tablets, as well as other machines, are integral in how we interact with patient information. This can allow doctors to look at X-Rays almost immediately on computer screens, or to send referral letters instantaneously. Previously, in order for someone to breach patient information in the same way, they would have to physically steal someone's file. While this can still happen, it is much less of a risk than accidentally transmitting patient information via a data breach or accidental emails. Data breaches can also happen if electronics are stolen where sensitive information happens to be stored. When being HIPAA compliant, it is not enough to assume your practice is practicing compliance because you have certain software systems. It is also not enough to assume you are compliant because you have security in place to prevent theft of these items. Instead, it is imperative that you have someone on staff who can breach-proof your system. This may involve hiring someone full-time, or hiring a contractor every few months to look for holes or flaws in your security system. A security breach that you didn't plan for could cost your practice hundreds of thousands of dollars if you're not careful. As such, you'll need to make sure your electronics are above board and as difficult to penetrate as possible.
Should My Practice Become HIPAA Certified?
What is HIPAA certification? While there is no official HIPAA certification from HHS, it can be helpful to become certified by another third party. This doesn't legally protect you if you do anything wrong, and the onus is still on your practice to ensure that you're keeping up to date with changes and technology improvement. With HIPAA certification, a third party can go through your systems and ensure that they meet HHS standards. If they don't, they can give you a plan on how to fix them so that they meet the standards necessary. Once you've fixed them, you can rest assured that your practice meets HIPAA compliance for the moment. As stated previously, HIPAA compliance is ever-changing. As such, you may wish to consider going through HIPAA certification every few months or year to ensure you stay on top of things. At the end of the day, you want to ensure you protect both yourself and your patients. If your practice is found to be in breach of HIPAA violations, this can not only cost you a pretty penny, but it can forever damage your relationship with your clients. Even if the issue wasn't technically your fault, it can give off an air of not caring about client confidentiality. As such, your clients may decide to look elsewhere to receive care, as they may feel their information isn't properly being looked after at your practice.
HIPAA Training for Your Employees
One very important factor in HIPAA compliance is ensuring your employees are up to speed with HIPAA laws and regulations. It is also ensuring that they get the information they need when information changes or new laws are introduced. Unless individuals have a long medical background, you cannot expect them to walk onto the job ready to enforce HIPAA. In fact, it can be very easy for medical staff to breach HIPAA, even only in ways that they may not be caught, such as sharing confidential information with family members or with other staff members. So, what is HIPAA training, and is it appropriate for my practice? HIPAA training can be done in person or online and is conducted via a third party. It provides your employees with the necessary information to ensure they themselves are also being HIPAA compliant in their day-to-day work. It can also serve to update employees when laws and regulations change, or new ones are introduced federally or statewide. While third-party HIPAA training for employees doesn't mean you're automatically compliant, it is a smart move to reduce future risks. It is also imperative that your employees are aware of how to use electronic devices in a HIPAA-compliant way. They should also be aware of how to store devices with sensitive information so that they are less susceptible to theft.