Your patients want to know that their personal information is secure and that the disclosure of protected details happens only when necessary. HIPAA compliance is essential for your medical practice, because it ensures that patients have peace of mind when it comes to the personal information available through their medical records. When you demonstrate a commitment to keeping information secure, you can not only avoid fines, but you can build geniune connections and trust with the people you treat.
Two key aspects of HIPAA, known as the Privacy Rule and Security Rule, are particularly important for medical practices to follow. In general, the Privacy Rule limits the release of health information to what is reasonably needed for the purpose of the disclosure. It also requires the establishment of appropriate safeguards for the confidentiality and security of electronic protected health information (e-PHI).
Although HIPAA was first enacted in 1996, the latest modifications to the regulations, known as the final omnibus rule, went into effect in September 2013. The new rule, detailed by the Department of Health & Human Services, expands patients' privacy protections and allows them to ask for a copy of their electronic medical record. Patients may also instruct providers not to share information about their treatment to their health plan if they pay out of pocket. The omnibus rule also requires providers to request a patient's permission before they market a third-party service to the patient based on their protected health information.
Following these rules is hugely important because, along with gaining the trust and confidence of your patients, you want to avoid any violations, such as theft of patient records, disclosure of information without consent, or lost data, that can result in steep civil or criminal penalties. There are several steps that practices can take to meet HIPAA compliance:
- Always get patient approval for protected health information transfers. Attorney James Wieland, principal at Ober|Kaler's Health Law Group, says it is important to get explicit approval any time information is transferred to a third party, even if it is at the patient's request. "If you get directions or requests from an individual to transfer their personal health information to a third party, you must get them to clearly state it — in writing — or you will be at risk," he says. Wieland also suggests getting consent from the patient if the information is transferred through nonsecured means.
- Run a risk analysis. HIPAA requires that organizations that handle protected health information regularly review administrative, physical, and technical safeguards. According to the Department of Health & Human Services, there are four key steps to the risk analysis process: "Evaluate the likelihood and impact of potential risks to e-PHI; implement appropriate security measures to address the risks identified in the risk analysis; document the chosen security measures, and where required, the rationale for adopting those measures; and maintain continuous, reasonable, and appropriate security protections."
- Conduct employee training. Even with safeguards in place to protect your patients' health information, it's still possible for a violation to occur if employees aren't aware of the rules. HIPAA compliance training should be provided to employees when they first start working at the practice and should be continued annually. This training should include information about the privacy and security rules, violations, and tracking patient record requests. In addition to offering training, your practice should also strengthen its employee password policy and require employees to regularly change the passwords they use to access patients' medical records.
- Update business associate agreements, policies, and procedures. According to Medical Economics by ModernMedicine, relations with business associates is the second major area of vulnerability when it comes to HIPAA compliance. Under the new rules, business associates have the same responsibility to secure protected health information as providers. They are also subject to the same penalties for HIPAA violations. Your practice should review its agreements with business associates and update them to reflect the fact that they are now liable for HIPAA compliance. Your practice should also update its HIPAA policies and procedures, including its Notice of Privacy Practices.
Securing patient information requires procedures and training, but the effort is worth it when you avoid penalties and secure the trust of your patients. When they know you are looking out for their interests by keeping their information safe, it will go a long way to creating a productive relationship and connection.