Healthcare and HIPAA; the importance of compliance

physician discusses test results with her female patient

Copyright: Alexander Raths /123RF

We’ve touched on the Health Insurance Portability and Accountability Act, or HIPAA, in a past blog as well as throughout our website and social media channels referencing healthcare and privacy practices. If you work in the healthcare industry, you probably know that HIPAA is important, but what is it all about? We’ve put together some key details for you below.

The ethical importance of HIPAA compliance

Why is HIPAA necessary? HIPAA is a major regulation that helps prevent Protected Health Information or PHI from being leaked. Think about your doctor visits. Would you want to have your confidential medical data such as test results, doctor notes, private conversations, mental health or insurance status information out in the open for anyone to see? Of course not! Would you want anyone seeing your family’s information?

HIPAA helps keep covered entities and business associates (the ones that handle your confidential information for billing, etc.) within areas that only those with authorized access should be able to see.

The legal importance of HIPAA compliance
HIPAA isn’t a recommendation, it’s a legal requirement when dealing with PHI. To be compliant with HIPAA, you have to uphold the standards created by its four parts, which are comprised of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA breach notification policies, HIPAA enforcement rule.

  • The HIPAA Privacy Rule was created for owners of PHI data to be able to better control who has access to their information and prevents unauthorized disclosure of this data. The Privacy also acknowledges that required parties—including the individual owner of their PHI data—should be able to access the data as needed. Complying with the HIPAA Privacy Rule also implies that you’re compliant with the HIPAA Security Rule.
  • The HIPAA Security Rule refers to the methods that a business associate or covered entity uses to protect patients’ information. The Security Rule dictates that all communications surrounding PHI data be securely handled and/or encrypted where possible. The U.S. Department of Health & Human Services (HHS) says that this policy was created to, “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • HIPAA breach notification policies differ slightly when breaches affect either more or less than 500 individuals. Both types of breach notification policies require that breaches be reported to the HHS Secretary. However, the necessary reporting is timelier in the case of 500 or more individuals being affected. A case of 500+ must be reported within 60 days of the breach happening, whereas 500 or less must be reported within 60 days after the calendar year of when the breach happened.
  • The HIPAA Enforcement Rule states the details of HIPAA violation investigations and what happens when a business associate/covered entity causes a breach to happen or could have taken measures to prevent a breach, but did not. The Enforcement Rule details how much money is owed if the breach results in a civil money liability.

Are HIPAA breaches rare?

After all, there is a lot of policy that has gone into safeguarding PHI data. Unfortunately, HIPAA breaches happen fairly often. The HHS reported that between April 14, 2003 and April 2018, 180,192 privacy rule complaints were received, resulting in 37,332 investigations. In fact, several breaches have happened this year already, including one in the state of Minnesota.

Tips for remaining compliant

With all the information and paperwork surrounding HIPAA and upholding its compliance, there’s a lot to remember. Here are some good tips to keep in mind about trying to stay compliant.

You can…

  • Develop privacy policies for communications (this includes your website, emails, login portals, devices and more). Encrypt where you can and provide yourself and your patients with peace-of-mind.
  • Develop a plan of action for potential breaches. A HIPAA breach is bad enough, but an improperly handled and/or communicated one? Even worse. It’s a great idea to have a plan in place to know what steps you will take, should a breach occur.
  • Train your employees to know how to handle HIPAA data.
  • Clear out excess clutter. PHI data that’s poorly stored, handled or simply thrown away in the trash is a HIPAA violation waiting to happen. Shred Right can also help you securely shred unneeded documents and old hard drives containing information to remain compliant.

Ready to leave your HIPAA hassles behind you? Shred Right can help you stay compliant. Contact us so we can personalize our services to your information destruction needs.