So, You’re Finally Taking A Closer Look at HIPAA?
by Theresa Sheppard, on Jun 10, 2015 1:15:39 PM
Welcome to the future!
While it may not feel like it (still no flying cars), the world and our daily life has become far more complex. Especially when it comes to how we access, move and store data. When it comes to healthcare, these advancements also mean increased potential for the unintended breach of a patient’s privacy.
Download the The 5 Most Overlooked Steps to HIPAA Compliance.
HIPAA is Part of Our Daily Lives
The high-tech act significantly increased the civil monetary penalties for HIPAA privacy violations or lack of breach notification, while the federal government can always impose criminal penalties.
This has created a sense of urgency for medical and dental practices to better understand their security requirements and reevaluate their privacy policies.
Is Your Practice Fully HIPAA Compliant?
How many practices feel they are only 90, 75, or even 50% HIPAA Compliant? Many facilities may not even know that just because they don’t send electronic claims, it does not release them from the legal and ethical obligation to protect patient privacy.
The most daunting and time consuming challenge is the risk analysis. It is multi-layered and involves a taking hard look at each aspect of your administrative, technical and security safeguards:
- Determine level of risk
- Determine the likelihood of threat occurrence & potential impact
- Identify security measures and finalize documentation
- Develop written procedures & policies
- Ongoing training & documentation
Next Step: Confronting and Correcting
Once your risk analysis is complete, it’s time to develop written policies and procedures based on what you’ve learned.
Lastly, you are required to have ONGOING training for your team. What does “ongoing” mean?
I suggest that at least once a month you set aside 30 minutes to discuss issues that may have arisen, or situations that need correction. It is also a great time to “work your way through” the extensive procedure manual by going over a few pages at a time.
A critical aspect of this is to document the training. Like everything else… you must be able to prove that this is something you are taking seriously.
A breach occurs when the privacy or security of the patent is compromised because someone acquired, accessed, used or disclosed protected patient information.
What Constitutes the Need for a Breach Notification?
- The practice is not required to report a breach, if, thru their risk analysis, they can prove there is a low probability that the information has been compromised.
- The practice is required to notify those affected. Oral disclosure (spoken word) meets the definition of a breach.
- Business Associates must notify the covered entity of a breach ASAP, but no later than 60 calendar days, so it can be determined who is responsible for notification.
- The practice must put out the notification ASAP but no later than 60 calendar days after the discovery of the breach.
- For 10 or fewer persons, patients must be provided written notice, or be notified by telephone, email or other forms of notification.
- For more than 10 persons, patients must be notified, and if they cannot be reached, then a conspicuous notice must be placed on the practice web site home page for 90 days, or in a major media outlet in the geographical area of the persons affected by the breach.
- For 499 and fewer people affected, the practice must keep a log and submit to HHS no later than 60 calendar days from end of the calendar year.
- For 500 or more persons affected: if a breach involves 500 or more persons, then the practice must notify HHS without unreasonable delay, and no later than 60 calendar days from discovery. The practice must ALSO notify prominent media outlets (usually a press release) no later than 60 calendar days after discovery.
In Matters of Data Security
In my experience as a HIPAA consultant, most of my smaller clients are dental practices with 1-3 doctors backing up their clinical software and patient information. They usually do not have the luxury of a dedicated IT staff member, and often they rely on their preferred IT integrator, or the most technical person in the office to get the job done. Often this means, that the backup method they have been utilizing is not secure.
Some offices may backup when they close the month, but have never tested restoring data from their backups. They may backup to a tape daily, but only have their data located onsite – possibly even unencrypted. We’ve even seen the case where there was no back up being done due to confused policies, and assumption that someone else was doing it.
Practices must perform daily backup’s using a product such as NovaBACKUP in order for them to be protected from data loss and to keep them in compliance with HIPAA. Not only does NovaBACKUP meet the stricter HIPAA mandates, their support team is located locally for easy access, offering remote Setup Assistance.
Having an automated backup schedule reduces the amount of effort required by the practice, while email summary reports deliver immediate confirmation that backups have completed successfully.
These reports make the Security Officials job much easier in terms of auditing, providing a level of confidence that a restore can be rapidly accomplished should data ever be lost or compromised.
Keep Calm and Achieve Compliance
It’s all about assessment and mitigation. Reaching the state of HIPAA compliance is an ongoing process. While the multiple layers of rules and regulations can be intimidating, this should certainly not cause you delay in taking on the issues of data security in your environment. In fact, it is critical that you get started on this process right way! If you are selected for an audit, you could be required to produce your procedural manual and risk assessment in as little as 10 days.
What I have tried to accomplish here today is to provide an overview of the basic information that can work as a first step towards bringing your office into compliance. Taking the next step means a risk analysis and putting together a comprehensive HIPAA protocol and policy program.
As special thanks to Theresa Sheppard for sharing her insight on HIPAA compliance. For more information visit: http://optimaldentalinsights.com/.
For information about HIPAA compliant backup software visit: http://novabackup.novastor.com/healthcare-backup-solutions/.