HIPAA Compliance: 5 Suggestions for Protecting Patient Data

Federal regulators are stepping up their enforcement of the Health Insurance Portability and Accountability Act (HIPAA), as a recent $100,000 fine levied on Phoenix Cardiac Services demonstrates. From law firm Mintz Levin:

“The settlement reaffirms OCR’s commitment to enforcing the Privacy and Security Rules, and its willingness to sanction covered entities for HIPAA violations.” (The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group)

Investigators are focusing particular attention on the disclosure of “protected health information,” which can include any detail of patient care – physical condition, services rendered, billing information, etc. – that can be linked to a specific individual.

What can providers and covered entities do to ensure compliance? Here are five suggestions:

1. Train employees on compliance policies and procedures:

“Most HIPAA violations have to do with people, the way we behave or the way we don’t behave and how we manage the policies that we create internally. Violations tend to be triggered by sloppiness not criminal intent. The Office of Civil Rights, indicates that 69% of all HIPAA violations of 500 or more items are as a result of human error… Human error encompasses everything from true accidents to employees snooping because they would like to know what their ex-husband’s new girlfriend is like.” (HIPAA/HiTECH – Changes on the Way for Covered Providers by Davis, Brown, Koehn, Shors & Roberts, P.C.)

2. Identify and eliminate weaknesses in compliance programs:

“Covered entities must evaluate periodically the effectiveness of their HIPAA compliance programs, including compliance with recent changes due to the HITECH Act and applicable regulations. If you have not done a formal evaluation of your program, such as conducting a trial run of your breach incident response plan, do so now. Document the process, and adjust procedures in light of the results.” (Audits Heat Up HIPAA Liability by Poyner Spruill LLP)

3. Require compliance from business associates:

“Business associate arrangements should be identified and reviewed. Business associates without a written business associate agreement should be identified and agreements put in place. For business associates with written agreements, the agreements should be placed in a central repository to be reviewed, ideally by a designated team familiar with the current and anticipated future requirements.” (It’s Coming: The HIPAA/HITECH Rule; What To Expect and What To Do Now by Ober|Kaler)

4. Lock down your computer networks:

“Weaknesses in software and computer systems attract hackers and intruders. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering information). Intrusion prevention and detection systems can alert you of cyber attacks and allow you to respond in real time.” (Protecting Patient Data From Cyber Attack by IKE DEVJI)

5. Appoint a HIPPA privacy and security officer:

“Have you formally established a chain of command with regard to dealing with HIPAA or HIPAA violations, specifically to include the formal appointment of a HIPAA Privacy Officer, Security Officer, and a Contact Person? Do you have written acceptances of the appointments?” (HIPAA Audits Are Coming: The Time to Prepare Is Now by International Lawyers Network)

See also:

Looking for Health Law updates? Find them on JD Supra>>