As more health information is stored and transmitted electronically, the risk of such data being compromised or breached is growing. In this environment, Protected Health Information (PHI) obviously must be secure, but also accessible to authorized requesters, as mandated by HIPAA.
I explored all aspects of HIPAA compliance in greater detail in a June 2016 Group Practice Journal article. The following are brief summaries of the five tips discussed in the article:
1. Avoid Patient Access Barriers
HIPAA-compliant authorizations are only required when a third party requests access to a patient’s PHI. Provider organizations can require that patients use a specific form to request their own PHI, but the form cannot create an access obstacle. Another compliance consideration is that patients’ personal representatives have the same rights as the individual to the PHI, provided they can supply information regarding their authority to act on behalf of the patient.
2. Implement HIPAA Security Rule Safeguards
Almost all organizations investigated by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for complaints or breaches have been cited for not properly conducting a risk analysis. This essential element is one of the technical safeguards that Covered Entities (CEs) and Business Associates (BAs) must comply with under the HIPAA Security Rule. Conducting a risk analysis, as well as assessing the organization’s physical and technical PHI safeguards, should also be considered.
3. Reduce Breach Risk
Standardizing PHI policies and procedures and centralizing Release of Information (ROI) processes can reduce breach risk. In addition, engaging vendors who offer advanced technology, highly trained and knowledgeable staff, and HIPAA-compliant best practices to manage ROI offer providers an enhanced level of breach protection.
4. Train and Audit Staff
As these technologies used to manage PHI evolve, organizations must provide ongoing education and training to staff. This can include ensuring they understand technology, and also that staff follows HIPAA-compliant procedures to prevent breaches and offer unencumbered access to authorized parties. Testing staff year-round, including mock breaches to simulate the response steps, is also important.
5. Assess Business Associates
Ensure your BAs are also in compliance with applicable state and federal privacy and security laws. Periodic vendor assessments will help ensure BA compliance with HIPAA and Business Associate Agreements (BAAs).
To learn about these five steps and more, please fill out the form below to receive a complimentary copy of the Group Practice Journal article.
This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.