Whether you work in a doctor’s office, with a health plan, an answering service that handles doctors’ calls, or an IT company which stores patient information, HIPAA applies to you. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, lays out guidelines and requirements for keeping medical information private and secure.
Who Must Comply with HIPAA?
There are two categories of companies/individuals who must comply with HIPAA:
Covered entities - People normally picture this category when it comes to medical services: doctors’ offices, hospitals, insurance plans, social workers, etc.
Business associates - These are businesses or individuals which store, handle, or see patient health information, like billing services, legal services, answering services, IT companies, cloud providers, and more.
What Data Must Be Secure?
HIPAA requires that PHI, protected health information, be kept secure. This covers electronic, paper, and orally delivered health information.
To be considered PHI information must be identifiable, or used to identify the person whose information it is. Of course names fall under this, but identifiers like medical record numbers, photos, email addresses, etc. must also be treated with care. When an identifier is paired with any medical information about the patient, it is considered PHI and must be kept secure.
What Do I Need to Do For HIPAA Compliance?*
Risk Assessment - This assessment of your physical and electronic policies determines where data might be at risk. It must be completed on an annual basis, or when there are changes to the environment.
Training - Anyone who handles/stores/maintains PHI must complete yearly HIPAA training and the company must keep records of all employee trainings.
Book of Evidence - The law requires companies to keep a book of all their documented policies and ensure employees are aware of what is laid out in there.
*These are all items that a government audit would require for documentation.
Why Should I Care About HIPAA Compliance?
If you work with, handle, store, or transmit patient health information, HIPAA applies to you. Consequences like fines and government intervention are a definite reason to be HIPAA compliant, but there are many interpersonal and business reasons to consider as well.
We’ve entered an age when massive data breaches hit the headlines regularly. People are becoming more aware of the need for data security and ensuring their information stays secure online. Being aware of these concerns and demonstrating your dedication to compliance reassures your patients and customers their private information is safe with you.
Moreover, if you’re a business associate, compliance is an excellent point in your favor for covered entities who may contract with you for services. It’s important to medical professionals that HIPAA compliance doesn’t end at their door and their patient information remains secure while in your hands.
HIPAA can seem like a frustrating mess of red tape thrown your way. What it really boils down to is a promise to maintain privacy and security and to uphold your customers’ trust.