Healthcare Solutions: Five Steps to Optimal HIPAA Compliance
Here’s how to achieve optimal compliance amid an environment of changing technologies and more rigorous regulation than ever.
It’s Sunday morning, and you’re in the office. Why? A theft at your facility at 2 a.m. means the protected health information (PHI) of more than 3,500 of your clinic’s patients is now “out there.” You’re helping your organization’s public relations counsel draft a statement for the media.
Yes, you read that right-the media. Since your breach affected more than 500 patients in your state, you’re required by Technology for Economic and Clinical Health Act (HITECH) regulations to make a public statement. It’s a waking nightmare.
But you can likely mitigate your risk by knowing about two key aspects of HIPAA regulations:
- The HIPAA Privacy Rule, which calls for measures to ensure the confidentiality, integrity and availability of all PHI. This includes all information about an individual’s health status, type of care or payment for care—basically, all information contained in a patient’s medical record and payment history.
- The HIPAA Security Rule, which addresses safeguards specific to the security of electronic PHI.
Focus on those two rules and you’ll be far ahead of the pack. You’re not the only one who needs to worry about them: All health plans, healthcare clearinghouses, healthcare providers and their business associates, including those that transport or store health information, must comply with both of these HIPAA components.
Ignore the regulations and you’ll face significant penalties-as much as $1.5 million per violation-with enforcement at both the state and federal levels. Plus, patients, employees, vendors and authorities have a built-in incentive to identify and report violations, because they can be awarded a percentage of the penalties.
Avoiding Compliance Speed Bumps
These five steps can ease your compliance burden:
- Document all operational processes and procedures. Provide training, workflow and guidelines for releasing information.
- Implement technical safeguards for data-related information systems and associated controls that protect electronic PHI and control access to it. These include database security, network protection, and user authorizations and passwords.
- Provide physical, not just electronic, access safeguards. These include locked rooms accessible only to those employees who need to access electronic information systems and electronic PHI.
- Continue to follow the HIPAA Privacy Rule to protect PHI, which limits the use or disclosure of that information without patient authorization.
- Implement procedures for breach notification provisions. New HIPAA provisions require the following:
• Organizations that sustain a breach of PHI privacy or a security lapse must report the incident to all affected patients, as well as to the Department of Health and Human Services (HHS).
• If the breach affects 500 or more people in one state, you must report it to HHS immediately and make a media announcement.
• If the breach affects fewer than 500 individuals, you can include it as part of annual reporting.
These strict reporting requirements compel all employees, contractors and vendors to understand what constitutes a reportable breach:
- Any use or disclosure that “compromises the security or privacy” of patients’ PHI
- Any use or disclosure that poses a financial, reputational or other risk to the individual(s) involved
A Cautionary Tale: Are You Protected?
In March 2012, a health insurance company became the first healthcare organization penalized for a security breach under HIPAA noncompliance. Thieves stole more than four dozen unencrypted computer hard drives from the company’s storage facility-drives containing the personal information of more than 1 million individuals.
Why is the victim of this theft subject to penalties? A government investigation revealed that when operational changes were made at the facility, the insurance organization failed to perform a required security evaluation. For this reason, the company didn’t know that the leased storage facility had inadequate facility access controls. The organization paid the HHS $1.5 million and agreed to a corrective action plan to address HIPAA compliance program gaps.
You don’t want this to happen to you. The good news is that you can take the steps you need to avoid such a crisis—and avoid any Sunday-morning news release tragedies, too.
Iron Mountain Recommends: Seven Essential Questions for Confirming a Partner’s HIPAA Compliance
Until recently, HIPAA rules applied largely to healthcare organizations handling Protected Health Information (PHI) but not the vendors they hired. This is no longer true.
Now, not only must you have HIPAA-compliant practices throughout your own institution, you must also make sure your third-party partners are HIPAA-compliant. Fail to do so and you could pay as much as $1.5 million in penalties.
To ensure that you’re dealing with a compliant vendor, ask these questions:
- Do your contracts address secure PHI and control its use and disclosure?
- What safeguards do you have in place to satisfy the HIPAA Privacy and Security Rules?
- How do you document reporting of all HIPAA privacy and security incidents?
- Do you hold your agents and subcontractors to all restrictions and conditions of compliance?
- Can you provide the information you would need to respond to patient requests for “accounting of all disclosures”?
- Can you make all PHI-related records available if you’re audited?
- Will you return or destroy all PHI upon contract expiration or termination?
Iron Mountain is the trusted partner for protecting your healthcare information. We protect all your data as if it were our own.
Do you have more questions about assessing your current healthcare information management strategy? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.