Even unintentional violations of HIPAA can result in criminal and civil penalties. Entities and individuals who violate HIPAA can face a fine of up to $50,000.00 and up to a year in jail.
Healthcare admins are encouraged to train or hire a staff member, referred to as a HIPAA champion, whose sole job duty is to enforce the latest security standards and ensure that patient protected health information (PHI) is properly handled.
However, even admins who choose to do so should have a working knowledge of the basics of staff compliance standards as they relate to the HIPAA Security Rules.
Here is a look at 7 best practices when it comes to HIPAA compliance:
1. Health Information Should Be Encrypted
The U.S. Office of Civil Rights recently published the results of a study that determined that two-thirds of all significant breaches involving HIPAA protected information resulted from laptops, tablets, and other portable devices with unencrypted health information that were stolen or lost.
2. Passwords Should Never Be Shared Among Staff Members
Passwords should be assigned by the HIPAA champion to all employees who are access to patient protected health information. Single sign-on systems should employ fingerprint detection or voice recognition software, in addition to assigned passwords, in order to secure log-ins.
3. Gossip Among Staff Members Should Not Be Tolerated
Unfortunately, it is quite common for employees to share private information amongst one another or with a friend believing that “no one’s going to find out” or “it’s just one person”.
Staff members should be thoroughly educated on what is at stake if private health information is revealed to an unauthorized individual. They should also be made aware of what the ensuing consequences will be.
4. Special Attention Should Be Paid to Third Party Business Agreements
Healthcare admins should be aware of how their contract with a specific vendor will safeguard and protect their organization’s healthcare information.
When a contract with a new vendor is being considered, the vendor should be asked if they perform routine security analyses of their systems that handle PHI.
Similarly, questions should be asked regarding what type of training they provide to their employees and whether or not they have designated security and privacy officials.
5. All Disks That Contain Phi Should Be Backed Up
Best practice recommendations from the U.S. Department of Health and Human Services suggest storing patients’ private health information on a HIPAA compliant cloud server as opposed to paper documents or a localized server.
Likewise, computer programs that contain PHI should always be closed when not in use. Practice management systems that boast automatic timeout features are particularly valuable in this instance.
6. All Staff Members Should Be Properly Trained Regarding HIPAA
This seems like common sense device, but hackers are becoming increasingly savvy when it comes to using seemingly white hat techniques to obtain PHI.
For example, staff members should be taught to be suspicious of any emails that request they click on a link or ask for sensitive information, like social security numbers or usernames.
This innocent-seeming type of email can expose an organization’s information system to the viruses and malware that hackers commonly use to burrow into systems.
7. Any Paperwork Containing Phi Should Be Secured in a Folder
Patient charts should be covered so that names are not visible. Patient records or folders that contain PHI should never be left unattended.
Similarly, paper files that contain PHI should be properly disposed of by shredding, and a cover sheet should always be used when private health information is being faxed from one location to the next.
These simple steps can assist a healthcare administrator’s organization in remaining HIPAA compliant; however, HIPAA standards are constantly evolving and being revised to remain abreast of industry trends and new technology.
This is why having a designated HIPAA champion within your organization is so vital.