In this guide, we will cover:
- What is HIPAA?
- The HIPAA Privacy & Security Rules
- The types of businesses that must follow HIPPA
- The type of information that is protected
- How the Information is Protected
- Recommendations to stay HIPAA Compliant
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) aims to protect patient health information and control its use.
The primary goal is to ensure that patient information is properly protected while allowing the flow of health information necessary to provide and promote high-quality healthcare and protect the health and well-being of clients.
Because the healthcare industry is so diverse, HIPAA aims to flexibly and comprehensively cover different ways of using information, while protecting the privacy of those seeking care and treatment.
The HIPAA Privacy and Security Rule
- Allows patients to better control their health information.
- Establishes limits on the use and disclosure of medical records.
- Develops appropriate measures to be taken by health professionals and others to protect the privacy of medical information.
- Imposes civil and criminal penalties for violations of patients' privacy rights, where violators must be held accountable.
For patients, this means being able to make informed decisions based on how personal health information is used when seeking care. Specifically:
- Enables patients to understand how their information is used.
- Generally restricts the disclosure of information to the minimum necessary for the disclosure purpose.
- Generally gives clients the right to inspect and obtain copies of their medical records and request corrections.
- Allows individuals to control certain uses and disclosures of their health information.
Who Must Follow HIPAA
The following entities are considered covered entities and must follow HIPAA:
- Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers - especially those that conduct certain business electronically, such as electronic health insurance billing. This includes most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses - businesses that process nonstandard health information they receive from another entity or vice versa.
- Business Associates by virtue of their relationship with covered entities.
What Type of Information is Protected?
- Client's medical records are entered by doctors, nurses, and other health care providers.
- Dialogue between patient and doctor with nurses and others about nursing or treatment.
- Customer information is entered into the computer system of a health insurance company.
- Billing information about clients and clinics.
- Other information about the client's health is in the hands of professionals who must comply with HIPAA laws.
How is the Information Protected?
- Healthcare companies must take appropriate steps to protect medical information and ensure that this information is not misused or disclosed.
- Facilities must establish procedures to restrict who can view and access customer health information, and implement employee training programs on how to protect their medical information.
- Entities must have adequate security measures in place to protect health information and ensure that they do not use or disclose this information inappropriately.
Recommendations to Stay HIPAA Compliant
Here's a list of recommendations by the U.S. Department of Health and Human Services to help you stay HIPAA compliant.
1 - Establish clinic-wide privacy measures.
Designate a privacy officer and contact person to monitor privacy issues. This person is a key person to receive complaints and train all employees on privacy issues, especially for employees to understand the restrictions and disclosure practices of PHI (protected health information).
2 - Get consent to collect, use, and release PHI.
The key to obtaining proper consent for the collection, use, and disclosure of medical information under HIPAA is:
- create a set of policies and procedures, and
- record these policies and measures and any use or disclosure cases.
3 - Develop an emergency plan.
If an emergency threatens the safety and privacy of PHI, be sure to develop a plan that you can use. Ensure that the appropriate staff can visit PHI in various emergencies. In some cases, consider restoring data from one location to another.
4 - Come up with processes that give patients easy access to their records.
According to HIPAA, privacy rules require clinics and healthcare professionals to provide copies of medical records within 30 days of receiving a written request. Customers also have the right to promptly correct their medical records.
5 - Make sure your devices, website, and network are secure
Create and maintain a secure website that meets all HIPAA privacy requirements to identify information. Run the site on a secure network with all appropriate protection measures, and get professional help when needed.
The following are some additional security precautions:
- A secure password-protected login is required.
- Set a timeout on your device to automatically disconnect when you are not actively using them.
- Train employees to act with integrity when handling electronic health information, including not destroying or changing records.
- Require authentication of all employees or entities accessing PHI.
- Make sure data transmission containing PHI is encrypted.
6 - Think about your PHI storage options
Evaluate options for storing clinic health information, whether you decide to store it as a hard copy, on your own server, or in a cloud-based practice management system.
Come up with a solution that not only meets the needs of daily work processes but also complies with HIPAA.
In addition, please consider choosing a combination of these storage options.
7 - Sign a Business Associate Agreement (BAA) with software vendors.
HIPAA requires a written contract between the clinic and any other entity that processes medical information. For this contract, HIPAA defines two types of organizations:
Covered Entity - This is the organization that records data. This mainly refers to health clinics and doctors or anyone who treats patients or meets customers.
Business Associate - This is an entity covered by the organization's representative to help store and process data.
8 - Become familiar with your state laws.
Check state laws that have other privacy requirements besides HIPAA. Here are some specific things to consider:
- If state laws are less stringent than HIPAA, HIPAA applies.
- When state laws are stricter than HIPAA, state laws will apply.
- In many cases, stricter state laws involve reporting of public health information, such as infectious diseases or child abuse, or birth and death records.
9 - Stay current on Privacy Laws
Remember, the law changes frequently. Make sure your privacy officer is aware of any changes to privacy requirements and develops a strategy to keep your practices up to date with the latest changes. Also, be sure to update your policies regularly as needed.
To learn more about HIPAA, click here.