What does being HIPAA Compliant actually mean anyway?


We are always talking about HIPAA compliance because that is what we do! Sadly many practices think just having a patient sign they received your Notice of Privacy Practices is all that is needed. There is so much more to HIPAA than that! After we go over a client’s risk analysis they realize this and are anxious to get their compliance in place. Then you get busy and it is pushed off to the next week, then the next, and then you realize it never was implemented!

Being HIPAA compliant means MANY things, and I could write about this for hours, but here are some basic reminders:

  1. Work on your Risk Management plan, implement your policies and procedures and mitigate risks. Policies and procedures are necessary so employees understand what is and is not permitted. The enforcement of your sanction policy and being consistent for those employees who violate HIPAA can help you avoid fines and penalties.
  2. Monitor your audit logs. Know who is doing what within your systems. Whether it is an employee or a business associate, you must know who and how users access ePHI. This is critical in preventing or stopping a data breach.
  3. Make sure your HIPAA compliance officer is informed and educated on any security incidents that may occur. This can help them to determine if and when a data breach occurred when they are reviewing the audit logs. The HIPAA compliance officer is required under federal law to report data breaches, large and small. The only difference is timing. Large data breaches must be reported within 60 days (state law could be more stringent) and smaller breaches within 60 days after the end of the year in which the breach occurred.
  4. Check the OIG exclusions list before you hire a new employee which can save you from being required to return payments you received from CMS in the event you hired someone on this list. Also, conducting a thorough criminal background check can prevent you from being stolen from! Conducting and documenting annual HIPAA training as well as when new employees are hired will educate them on patient privacy and data security. Make sure the method of training you choose covers both areas.
  5. Make sure everyone uses their own login credentials and never share their passwords. If someone signs in under another person, then that person that is logged in could be held liability for anything that is done under their credentials! Remember to use strong passwords and change them often. If possible, implement a secondary authentication in addition to using just a username and password. This is extremely helpful in protecting information for business and personal. All online accounts, even email should use a two-step of some type.
  6. Since we work in healthcare we have the ability to look at anyone’s medical record in our system. Keep in mind, you should only look at records that you have a need to do so. This means that if a patient is being seen by another provider or medical staff member and you do not have the need to view the record, you are NOT permitted to do so.
  7. When it comes to technology, many people think if it’s not broke, don’t fix it. This is NOT true! As our systems age, unless they are updated and upgraded, your information may be at risk of a data breach. Firewalls, computers, servers, and software all must be maintained. Firewalls are your first line of defense. Would you put up a fence and never bother to lock it? I have said this many times in the past, in the old wild wild west you could see danger coming towards your town and prepare. The world wide web is the new wild wild west, but the intruders are invisible. You must have several layers of security to secure your data. NOTE: Microsoft Windows 7 will no longer be supported after January 14, 2020. I have always liked this operating system, but now we must prepare for those computers to be updated or replaced.

HIPAA is much more than just these items, but this should help you to remember some important steps!

If you haven’t implemented HIPAA privacy and security policies and procedures, now is a good time to start to ensure your employees understand how to protect your data. If you would like more information, contact us at 877.659.2467 or complete the contact us form.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

Heavy fines demonstrate the importance of a network security audit…

July 1, 2019

How much does a data breach really cost?

August 15, 2019
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC