|  | Healthcare Industry | General Healthcare Industry

How to Avoid HIPAA Violations

The increased use of technology in the health care industry helps providers, insurers and patients quickly access medical records. However, the electronic transfer of protected health information (PHI) can leave it vulnerable to data breeches and misuse. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed with two purposes. First, HIPAA set national standards for the electronic transfer of PHI and second, the law gave patients additional safeguards to protect the privacy of their PHI.



Entities covered under HIPAA can face serious fines and individuals can be sentenced to jail for violating HIPAA. To avoid HIPAA complaints and investigations, covered entities can take proactive measures to ensure their organization is in compliance.

Instructions

    • 1

      Review the organization's policies and procedures related to patient privacy. HIPAA's Privacy Rule outlines who can access an individual's PHI and how it can be used. Organizations are required to assign a Privacy Officer who can monitor compliance with the Privacy Rule.

      Ensure that every patient receives a written notice of privacy practices and also post the notice prominently. This notice should tell patients how and when their PHI can be disclosed. For any use outside of what is allowed by HIPAA, the organization must receive the patient's written authorization.

    • 2

      Review the policies and procedures related to PHI security. The HIPAA Security Rule establishes the requirements for the administrative, physical and technical protection of PHI. To ensure compliance, HIPAA requires that organizations assign a Security Officer. This person should lead the analysis of security systems, take steps to identify and fix any possible security risks and continually monitor compliance. Access to PHI should be limited to only those employees that need it and should always be password protected.

    • 3

      Train staff on HIPAA and their responsibilities related to the law. The California Medical Association recommends that staff annually review the organization's HIPAA policies and procedures. Once they have gone through the review, employees should sign a statement acknowledging that they understand them. Make the policies and procedures easily accessible so that staff can go back and review them when necessary.

    • 4

      Require all business associates that deal with PHI to sign an agreement that they will abide by HIPAA. Business associates are those individuals or companies that are not considered a covered entity but still touch PHI as part of the service they provide to a covered entity. This could include a software vendor, lawyer or accountant.

    • 5

      Respond to and comply with patients' requests for their PHI. Patients can receive copies of their medical records, but not the originals. Patient should receive copies within 30 days of their request. If that time frame cannot be met, the patient must be notified.

General Healthcare Industry - Related Articles