When we speak with folks about HIPAA, many claim it is a 4 letter word (despite it’s having 5 characters). My 9-year-old says it sounds like HIPPO and he thinks that’s funny. I think there’s an argument where each of those is correct, but at the end of the day – folks are just trying to understand what it really means and how it affects their practice.
In its simplest terms, HIPAA is the Health Insurance Portability and Accountability Act that sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This includes covered entities (anyone who provides treatment, payment and operations in healthcare), and business associates (anyone with access to patient information and provides support in treatment, payment or operations). Subcontractors, or business associates of business associates, must also be in compliance.
The compliance protocol is a serious undertaking, but here are a few key steps to get you started:
- Understand the HIPAA requirements.
HIPAA has several regulations and standards, but it also allows some flexibility in how the regulations and standards can be addressed (i.e. data, data criticality, amount of employees, number of locations, etc.). That’s where HIPAA gets more unique with each organization. There are resources online (ADA, AOA, ACA, HHS and others each all provide ‘roadmaps’), but the recommended suggestion is to initially speak with a cybersecurity and compliance expert, ensuring your efforts are going in the right direction.
- Determine whether you are a “Covered Entity.”
“Covered Entities” applies to businesses with health plans, healthcare providers and healthcare clearinghouses. If your business handles personal patient data (electronic protected health information, or ePHI) in any way, the HIPAA Security Rule applies to you. For more information, see For Covered Entities and Business Associates.
- Identify the right individual(s) to lead your effort.
Finding an individual to handle compliance documentation will keep the HIPAA process clean. Choose someone with good organizational and writing skills so they can document your HIPAA history and filings.
- Verify you have implemented basic security measures.
HIPAA compliance is only as good as the security measures you have already put into place. Be sure to have an up-to-date firewall, antimalware and antivirus protection. HIPAA also requires strong network passwords, so a two-factor authentication is a good system to implement.
- Plan for an audit.
Auditors will show up and request to see your compliance documentation. If the task seems daunting, hire a third-party compliance service to get your records ready for an audit.
Need help? Hire an expert.
GSWS provides HIPAA audit assessments specifically created for small and medium healthcare practices. We provide all the documents you’d need if an auditor shows up at your door. For more detailed questions and/or specific information, contact us at info@GSWS.com or 619-825-4797.