The 5 most commonly forgotten things about HIPAA

Technological advances have given healthcare professionals the ability to correspond efficiently with medical professionals, specialists and consultants. This not only allows doctors to provide patients with the care they deserve, but also appropriate for their medical needs. These technological advances however, create concerns for patients if doctors and staff are not guarding their information.

Mainstream concerns for patients, as well as healthcare professionals, are identity theft and breach of personal information. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed to protect the rights of individual’s healthcare information and protect patient safety.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) was for the purpose of reporting HIPAA compliance issues and security breaches to the Department of Health and Human Services. The final application, The Omnibus Rule, joined this pyramid in 2013.

As many professionals know, it is crucial to protect the patients’ rights, but it can be complex when deciding what information needs protecting and if they are on the right track with these regulations, including written policies, and procedures. However, while many businesses and organizations believe they are compliant, many practices are unaware of the risks they take every day. While 100 percent compliance is not typical, healthcare professionals need to strive to reach as far as they can. There are five points designed to prove you can apply these policies effectively. These approaches are vital to keeping you and your team as compliant as possible.

Related reading: Is your dental practice completely HIPAA compliant? 

Regularly backing up patient data

Backing up data is a simple task that is hopefully completed on a regular basis. Backup data saves everyone from that one disaster no one plans on having.  Many stipulations arise with backing up data. Many people do not know there are countless regulations that HIPAA laws address. First, the backup must be encrypted. Protecting this data is a requirement and is an obligation to the patient; therefore, it is essential you are able to restore the lost data.

Numerous businesses back up their data and take it home with them, but countless offices back up the data by attaching a portable disk drive, selecting start, and turning off the monitor before walking out the door, leaving this valuable information behind. The next question you should ask yourself is when was the last time you tested this backup you are saving every night and leaving attached to the computer. How do you know it has actually been saved? Allowing this unencrypted portable drive to stay in the office, unchecked and untested, places you, your office and staff at a high risk of a breach. This violation is simple to fix, and one that should take place immediately.

Not only are breaches devastating, but they also create an ample amount of work once a breach has occurred. Patients will need to be notified in writing. It is their right to be informed the breach has transpired. The next step is to contact the media, and contact the Health and Human Services website to report the breach. Once the breach has happened, you will join over 1,100 practices also listed on that site.

Related reading: Security at risk: Data storage no small task for dental practices

Encryption

So what does encryption actually mean? Margaret Rouse wrote an article describing encryption. She states, “encryption is the conversion of electronic data into another form, called cipher text, which cannot be easily understood by anyone except authorized parties.” This means if the information is reasonable and appropriate, it must be encrypted.

HIPAA requires this information to be documented, whether or not it is reasonable and appropriate. So, to stay on the safe side, encrypt everything. Even though the question of being reasonable and appropriate seems as though it is self-explanatory, many are confused, and ignorance is not above the law. This means it is not a “get out of jail free card;” you will not pass “go” for saying you did not know.

As a healthcare professional, it is not only your responsibility to the patient, but it is your obligation to keep this information protected by encryption. The best solution for this scenario is hiring an information technology (IT) company. The costs for this service is minimal in comparison to the fines behind these violations, the loss of patients once they learn of the breach, and the sheer embarrassment that something like this could happen when the preventive measures were not difficult to achieve. 

The best protection is an encrypted online backup system, combined with an image of the business on an encrypted device. This will reduce your chances of a breach. Leave it to the professionals and find a company that will meet your needs and protect your investment.

Related reading: The top 4 reasons to store your data in the cloud

E-mailing patient information

Internet technology at its finest is the ability to communicate with others without having to interrupt what you are doing, but still achieve the overall goal of communicating with someone. HIPAA recommends e-mail be encrypted as well, but what many people do not know is typical engines such as Gmail, Outlook and Yahoo are not encrypted. The path from one office to the next is not as simple as it may seem. It takes numerous paths, passing through multiple servers before the transmission has been completed. Most of the time, these “pass through” servers are not secure.

E-mail is common and very beneficial for sending documents and various types of information quickly. But the instantaneous lifestyle that many of us are accustomed to can get us into a bind that may not be so easy to escape from. Even though this common practice is easy and commonly used, it is necessary to take action to ensure the data is secure, safeguarded and tamper-proof.

A simple way to protect e-mails containing private information is to make sure your outbound e-mail is encrypted. There are several companies that work with your existing e-mail provider to shield you against breaches.

If your office is in the practice of sending digital X-rays to specialty offices, it is imperative the e-mail is de-identified. This means no personal patient information can be attached with an X-ray image. For example, you can send a digital X-ray image, but it can’t contain any patient information: No names, no initials, no chart ID, no DOB, no full-face photo-nothing that would allow another person to identify who that X-ray image belongs to.

Related reading: Does encrypted email satisfy HIPAA?

Storing and sharing patient information on Dropbox

Dropbox is phenomenal. For those instantaneous, on-the-go, sleep-with-my-phone-in-hand types of people, this tool is fabulous. For those of you who are unfamiliar with Dropbox, it is a cloud-based program that allows files to be uploaded and be accessible on any device of your choosing. Convenience is the best part about it, not to mention how easy it is to use. Doesn’t that sound amazing? It has all the bells and whistles that an “on-the-go” professional needs, except one thing: It is not HIPAA compliant. Unfortunately there have been reports of data breaches in recent years. While the company has not had any breaches since 2013, the tool is still not HIPAA compliant. Therefore, while personal records or documentation are acceptable, it is not an option for any documentation that contains patient information.

Related reading: HIPAA compliance and digital photography with personal mobile devices

Patient information access

For practices that have their work cut out for them in order to become compliant, they should consider working with a HIPAA professional who can assist them with reaching for a higher level of compliance. While we realize that becoming 100 percent compliant is not realistic, it is important your office is striving for compliance. Auditors are looking for proof that you have gone out of your way to protect the patients and your office.

Visible demonstrable evidence (VDE) is making sure you have taken precautions in logging information of the employees that have access to patient information and securing charts at night. If you are going to label charts, be perceptive of what you are putting on them; it is a good idea to keep them covered during the day and, if electronic records are used, shred the hard copies before you leave at night. The fines for noncompliance are severe and reach over a million dollars. 

More on HIPAA: 3 things your dental practice needs to know about the HIPAA Omnibus Rule

About the author

Theresa has over 30 years of hands-on, clinical, administrative and academic experience.  Theresa is the founder of Theresa Sheppard Solutions and is passionate about bringing protection, prosperity and peace of mind to your practice. She can be reached at www.theresasheppard.com