Question: “Dr. Kotlar, I think I’m HIPAA compliant. I have all new patients sign my Notice of Privacy Practices form, all files are kept in a locked cabinet, we keep all patient conversations at a low level and my billing manager stays up to date by attending coding seminars. Am I HIPAA compliant?”
Answer: You’re on your way, but based solely on the items you mentioned, you’re not there yet. Let’s begin with a little HIPAA background and the basics.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Signed into law on August 21, 1996 and governed by the U.S. Department of Health & Human Services (HHS) Office for the Office of Civil Rights (OCR). Compliance with HIPAA is mandatory. HIPAA applies to all covered entities. Covered entities include health insurance plans, clearinghouses and healthcare providers (MDs, DCs, PTs) that transmit health information electronically. The main purpose is to safeguard patient protected health information (PHI).
The HIPAA privacy rule applies to all PHI. The purpose is to protect patient data and regulate how providers can use and disclose PHI. The HIPAA security rule relates to the protection of electronic PHI (ePHI). This includes ePHI at rest or in transit.
Notice of Privacy Practices:
The Notice of Privacy Practices, also known as the HIPAA notice, is a document provided to every patient who seeks care in your office. It sets rules about who can look at and receive PHI, and it gives patients their rights over how and when PHI can be shared. If a patient refuses to sign the HIPAA notice, keep a record of this fact. The HIPAA notice should be posted in a clear and easy-to-find location where patients are able to see it, and a copy must be provided to anyone who asks for one. If you would like to receive a sample Notice of Privacy Practices, send an email to firstname.lastname@example.org.
A compliance officer is an employee of your organization whose responsibilities include ensuring that the company complies with federal and state regulatory requirements and internal policies. A compliance officer may also design or update internal policies to mitigate the risk of the company breaking laws and regulations, as well as leading internal audits of procedures. If a staff member is not qualified to be a compliance officer, it is appropriate for the doctor to name himself/herself the office compliance officer.
The compliance officer must have an excellent and thorough understanding of the business, as well as skills and human qualities that allow him/her to advise, train and raise awareness among company staff on the significance of business ethics and compliance. The compliance officer should organize and supervise training sessions either through meetings or e-learning. Compliance officers are expected to provide an objective view of company policies and to be on the alert for potential areas of vulnerability or risk.
Many providers work with and share patient PHI with outside vendors such as billing companies. These types of arrangements are now governed by HIPAA. Billing and software companies are two examples of Business Associates. Other examples include clearinghouses, attorneys, IT consultants, transcription services and cloud service vendors. Another example is a staff member paid as an independent contractor who is accessing your ePHI from an outside location. Basically, anyone not an employee of your workforce who can access PHI could be considered a Business Associate. Business Associate Agreements (BAA) can help protect your practice.
Here’s a possible situation: someone hacks into your billing company system and steals a bunch of your patient files. Without a BAA, you are held liable and may have to purchase credit monitoring services for every stolen patient file. This could become very expensive.
Security Risk Assessment:
All covered entities must perform a security risk assessment. The purpose of a risk assessment is to identify where ePHI is located and the threats and risks to ePHI, and to determine safeguards to better protect it.
Test Your HIPAA Knowledge:
Do you have a disaster recovery procedure in place? The HIPAA security rule requires a policy be in place and staff trained in case of fire, vandalism, system failure or a natural disaster that damages systems that contain electronic protected health information. A disaster recovery plan and procedure is required to restore any loss of data.
Are workforce members aware of workstation use policies that prohibit online activities such as email, social networks, etc.? The HIPAA security rule states that all workforce members should be made aware of proper workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Is anti-malware (anti-virus and anti-spyware) installed and updated on each of the organization’s workstations and servers? Malware (computer viruses and spyware) is one of the leading causes of data being stolen or breached. It is critical to have anti-malware installed on all systems, including workstations, laptops, servers, etc. The anti-malware should be automatically updated with new definition files.
Do workforce members with laptops take the system home or out of the office? One of the leading causes of ePHI data breaches is lost laptops and portable media. Laptops that contain ePHI should be tracked, and only authorized workforce members should be allowed to remove them from an organization’s offices.
Are all the office’s laptops encrypted to protect the data stored on them? Laptops that contain ePHI should be encrypted to prevent access to ePHI in the event a laptop if lost or stolen.
Are workforce members required to change their passwords periodically? Requiring workforce members to change passwords every 30, 60 or 90 days will help secure their user account. Password changes prevent breached accounts from being accessed over a long period of time.
Do employees protect passwords and not share them with other employees? When accessing ePHI every member of the workforce must use a unique user ID and password. Workforce members should not share passwords with each other. This includes leaving passwords in plain sight, posting them on notes and sticking them to the monitor, leaving passwords written under the keyboard, etc.
Are workforce members required to create a complex password? A complex password, sometimes known as a strong password, is one that consists of at least six characters (the more characters, the stronger the password) that are a combination of letters, numbers and symbols (e.g., @, #, $, %) if allowed. Passwords are typically case-sensitive, so a complex password contains letters in both uppercase and lowercase. Complex passwords also do not contain words that can be found in a dictionary or parts of the user’s own name.
To begin your path to HIPAA compliance, conduct a security risk assessment, create a policy/procedure manual, designate a compliance officer, provide regular staff trainings, and log all trainings in your policy/procedure manual.
Marty Kotlar, DC, CPCO, CBCS, is the President of Target Coding. Dr. Kotlar is Certified in CPT Coding, Certified in Healthcare Compliance, and has been helping chiropractors nationwide with HIPAA, Medicare compliance, documentation and compliant cash plans for more than a decade. Target Coding can be reached at 1-800-270-7044. Website – www.TargetCoding.com. Email – email@example.com.