17 Jan A Quick Look at the HIPAA Compliance Checklist
Medical Records folder archive organized in the file cabinet.
The use of electronic Protected Health Information (ePHI) requires strict compliance with HIPAA standards and regulations. Companies that work closely with medical records such as law offices and insurance companies need to be especially aware of how they handle sensitive information. A great way to ensure that your operations are in line with HIPAA guidelines is to utilize a checklist that covers all of the necessary bases associated with patient data.
The penalty for breaching HIPAA regulations can range from fines and civil action lawsuits to criminal charges. Patients have a right to privacy when it pertains to their medical documentation. Sensitive information such as this needs to be handled with care and attention to detail.
Throughout the years, health care providers have adopted electronic medical records for patients around the world. Because of this, HIPAA has created more and more standards and compliance guidelines to safeguard patient information.
HIPAA Compliance at a Glance
So, what is HIPAA Compliance? At the foundation, it essentially means staying within the confines of the Health Insurance Portability and Accountability Act. That being said, there are certain amendments and the Health Information Technology for Economic and Clinical Health (HITECH) Act that must be followed as well.
Before we dive too deep into the HIPAA compliance checklist, let’s take a look at two crucial components of HIPAA itself. These are a snapshot of
Covered Entities
Health care providers, health plans, or health care clearinghouses that create, transmit or maintain protected health information. It should be noted that hospitals are covered entities that employ health care providers. What this means is that the hospital itself is a covered entity while the providers are not. This stipulation puts the burden of HIPAA compliance on the hospital.
Business Associates
Law offices or insurance companies that require medical record retrieval for their cases or claims are an example of a business associate. Because they are handling protected health information, there are certain rules and regulations that Business Associates must adhere to. They must sign a Business Associate Agreement with a covered entity that states certain guidelines. For example:
- What information they are allowed to view and access
- How the information will be utilized
- Whether or not the information will be returned or destroyed after use
Whenever business owners have medical records in their possession, they are subject to the same HIPAA compliance standards as a covered entity.
HIPAA requires all covered entities and business associates to implement necessary safeguards to ensure that sensitive information is secure. Breaches, regardless of how or why they occur, must be followed by steps put forth in the HIPAA Breach Notification Rule to avoid penalties.
How Companies Can Adhere to the HIPAA Security Rule
While protected information is stored or being retrieved — it must adhere to certain standards that ensure its protection at all times. Law firms and insurance companies are all too familiar with the storage and movement of sensitive and confidential medical records. Accessing these records is necessary for the progression of certain cases or claims, but this information still requires certain safeguards. There are three main components of the HIPAA Security Rule.
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
HIPAA compliant portals are one of the most effective and efficient ways of storing and transferring protected health information. The three areas of the HIPAA Security Rule that make up the compliance checklist are below.
Technical Safeguards
Technology that is used to safeguard medical records and other protected health information falls under this category. Certain requirements such as safeguards that protect data after a potential breach and NIST encryption standards are required.
Every organization can utilize whatever technology best suits their operation as long as it adheres to the technical safeguards outlined by HIPAA.
Physical Safeguards
Physical safeguards don’t necessarily pertain to the actual location of patient information but rather the physical access to it. Servers, remote data centers, and even the cloud are all places in which HIPAA covered entities can store sensitive patient data. However, mobile devices, work stations, and computers themselves require certain compliance standards to prevent breaches of privacy while accessing, storing, or transferring protected health information.
How workstations function, authorized access protocols, and mobile security processes, and inventory procedures are all examples of physical safeguards outlined in the HIPAA Physical Safeguard standards.
Administrative Safeguards
The administrative side of the equation relies on risk assessments, risk management policies, contingency planning, training, and other administrative responsibilities to ensure that the privacy of confidential information is secure and handled in accordance with HIPAA
A Brief Look at HIPAA Rules
Several rules govern HIPAA compliance and ensure the protection of ePHI. Here’s a quick look at these rules and how they operate.
HIPAA Privacy Rule
This rule demands safeguards are put into place to protect ePHI along with conditions and limits regarding the disclosure of information without patient permission. This rule also dictates patients and their representation rights to information.
HIPAA Breach Notification Rule
If a breach of information occurs, this rule dictates how and when covered entities are obligated to notify patients and the Department of Health and Human Services.
HIPAA Omnibus Rule
This rule addresses areas that required expansion and covers business associates and contractors alike. Data storage companies, consultants, contractors, and other similar organizations fall under these rulings. Updates, agreements, training practices, and other privacy processes were added to ensure the protection of ePHI.
HIPAA Enforcement Rule
The Enforcement Rule dictates investigations that follow a breach of information along with the consequences and potential penalties that follow. As mentioned, fines, lawsuits, and even criminal charges can result from certain breaches or negligence.
A Final Word on HIPAA Compliance
Organizations that want to remain aligned with the rules and regulations set forth by HIPAA need to implement software and systems that are compliant with HIPAA guidelines. Many organizations attempt to cut corners and create processes that can cost them a fortune down the road during a risk assessment or audit.
Business associates such as law firms or insurance companies sometimes use their own systems or staff to retrieve medical records for their cases or claims. It can be extremely difficult and costly to maintain and manage these systems. Many businesses choose to outsource their medical record retrieval to a company with HIPAA compliant services, systems, and technologies to mitigate any issues with following regulations. These services can be extremely cost-effective and give business associates peace of mind throughout the medical record retrieval process.