As a healthcare practice you cannot ignore your compliance with the HIPAA Security Rule. HIPAA Security and Privacy Rules were created to protect patients’ protected health information (PHI). HIPAA violations can result in penalties of $100 to $50,000 per violations and total fines can be as much as $1.5 million if the violation is due to willful neglect.
A data breach can be financially costly to your practice and may also impact your patients if PHI lands in the wrong hands. A data breach can as simple as a lost laptop containing patient information.
Being HIPAA compliance is not an easy task but shouldn’t be ignored either. I have listed four steps below to get you started with your HIPAA compliance.
Risk Analysis
A Risk Analysis is the first step towards HIPAA compliance. This is used to discover potential risk and vulnerabilities to the confidentiality and availability of electronic protected health information. The risk analysis should be documented and any discovered vulnerabilities should be addressed. If you have already conducted a risk analysis then review and update yearly.
Implement Administrative, Physical and Technical Safeguards
There are certain safeguards that need to be implemented by covered entities to protect PHI. The safeguards are broken down into there types (Administrative, Physical and Technical). Some safeguards are required and some are addressable. All the required safeguards need to be implemented, if you choose not to implement the addressable safeguards then you need document why not.
Employee Training
Most HIPAA violations are caused by employee negligence. HIPAA safeguards require you train your employees, send occasional security reminders and monitor you employees to make sure there are not causing HIPAA violations.
Business Associate Agreement
If you employ any company/contractor that has access to PHI, then they are considered business associates.
You need to have a Business Associate Agreement in place that requires them to comply with HIPAA Security rule. A business associate agreement can potentially protect your practice from HIPAA violation caused by the business associate.
The steps listed above should only be considered as a starting point towards your HIPAA compliance. HIPAA compliance is an ongoing process that needs to be constantly monitored and reviewed to fit your practice.