Read the blog and watch the video!
Back by popular demand, here’s a primer on HIPAA compliance for doctors’ offices, solo physicians, and small medical practices. It’s a prescription that never loses its efficacy. Watch the brief video at the end with our compliments!
Why HIPAA Compliance is Required
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by our federal government to protect patient confidentiality and privacy. It is intended to make sure medical practices safeguard their data in compliance with HIPAA requirements. Doing so will prevent unauthorized individuals, including cybercriminals, from gaining access to patients' protected health information (PHI, including ePHI) and other personally identifiable information (PII) such as payment, billing, and insurance details.
The Many Consequences of Non-Compliance
PHI and PII are valuable commodities for cybercriminals and sell for high prices on the dark web. Identity theft can also result from this crime. Therefore, medical professionals must strictly adhere to HIPAA Security, Privacy, and Breach Notification Rules to avoid data theft. Becoming fully HIPAA-compliant enables you to avoid financial penalties, mandatory compliance monitoring, reputational damage, loss of licenses (and even imprisonment if the HIPAA violation is particularly onerous).
The HHS Office for Civil Rights (OCR) is responsible for enforcing compliance with the HIPAA rules and regularly publishes press releases announcing specific violators, the financial penalties imposed, and other settlement terms. All that’s required to launch an investigation into your medical practice is a complaint lodged by a patient, former patient, or employee. And the OCR has made complaint filing more convenient through an online portal.
While responsibility for HIPAA compliance ultimately falls upon you as the owner of your medical practice or doctor’s office, the simple fact is that all members of your practice must work together to ensure HIPAA compliance. It must happen every day, with every patient.
For your convenience, here are five steps you can take to ensure that your medical practice is HIPAA-compliant. In addition to reading about them, you can watch our brief video at the end of this article.
1. Exercise Privacy Everywhere in Your Office
- Give patients the privacy they are entitled to, by law, in every part of your office. This includes reception, waiting areas, exam rooms, consultation rooms, and elsewhere. In common spaces, avoid referring to patients by full name. It’s best to use only the first or the last name when calling them in.
- Allow for a quiet, private space when talking with individual patients to ensure your conversation is not overheard. Some office walls are thin, so be aware that sound carries.
- Always knock before entering patient rooms.
- Never leave patient documents, forms, or charts unattended or unsecured.
- While accessing electronic PHI (ePHI), make sure that no unauthorized individual can see the data on your screen or device. This goes for other patients, as well as employees who do not have a need to know.
- Be aware of all the locations of your patients' PHI and ePHI to ensure all versions are protected. Know what data is stored in your EHR, in your data backups, in any individual employees’ files or computers, and in printed records.
- Continuously enforce this culture of privacy throughout your medical practice, with all staff, to keep your privacy standards HIPAA-compliant. And consider employing the services of a professional HIPAA compliance firm to review and validate your privacy practices.
2. Post Your Notice of Privacy Practices
- Print the required Notice of Privacy Practices and post in a common and clearly visible area in your doctor’s office, so that patients are reminded of their privacy rights under the law.
- Post your Notice of Privacy Practices prominently on your website if you have one.
- Keep copies of the Notice of Privacy Practices handy to provide copies to patients.
Are you looking for an easy way to make sure you are following HIPAA guidelines? Download the Free HIPAA Checklist to get started.
3. Maintain and Follow Written Policies and Procedures
- Develop a written policies and procedures manual for everyone in your practice to follow to ensure patient privacy and security. The manual should contain forms, notices, disclosures, and step-by-step procedures that ensure compliance with the HIPAA Security, Privacy, and Breach Notification Rules. Documented policies and procedures are a key element in proving HIPAA compliance in your medical practice. Consider employing the services of a professional HIPAA compliance firm to review and complete your documentation.
- Your policies and procedures should be accessible to all staff, and their use reinforced. Obtain attestations from all staff that they have read, understand, and will abide by the policies and procedures. And be prepared to act in the event of failures, because failures can lead to data breaches. As such, failures are not to be taken lightly.)
- Review your policies and procedures annually to ensure they are still current, and then review them with your staff every year.
- Review and update your policies and procedures any time there is a major change in your practice. Examples could include a change in your EHR software, a change of your data backup service, even a change to your antivirus or other security or privacy software. This is also required if you start doing business with a new Business Associate, such as a vendor, service provider, or other supplier.
4. Train Your Team in the HIPAA Do’s and Don’ts
- Ensure that your employees receive HIPAA training and retraining every year. This applies to all staff, including physicians, nurses, medical and office staff. No one is exempt. People are the weakest link in the security chain, and executives and owners are routinely targeted by cybercriminals.
- Training should include reviewing the policies and procedures manual in detail with all personnel.
- Document the dates of training and names of attending employees to provide evidence that you’ve delivered the required training each year. Consider engaging the services of a professional HIPAA compliance firm to prepare and conduct your training.
- Verify that your Business Associates also receive annual HIPAA training.
- In addition to HIPAA training, consider Cybersecurity Awareness training to educate employees in the numerous cyberthreats that plague medical practices and doctors’ offices. These include phishing and other email scams, social engineering techniques, and ransomware exploits. The HHS OCR has provided advice for preventing these common attacks.
5. Complete Your Mandatory HIPAA Risk Assessment
- HIPAA requires a regular HIPAA security risk assessment to identify vulnerabilities and evaluate risks within your medical office. The security risk assessment may be conducted in tandem with a privacy risk assessment to evaluate compliance with the HIPAA Security Rule and Privacy Rule. The risk assessment will review in detail your technical safeguards, physical safeguards and administrative safeguards that are key elements of the HIPAA Security Rule.
- A professional risk assessment will identify vulnerabilities and security and privacy gaps and prioritize them by level of risk. You’ll need to develop a plan of action to address each gap, with a timeline for implementing each solution.
- Be sure to address your follow-up action items within a reasonable period of time. Three to four months is considered a reasonable amount of time for most doctors' offices. As an example, if you are using a straight-cut shredder, your risk assessment may recommend procuring a cross-cut shredder or using a shredding service to further secure your document disposal process.
- A common finding during HIPAA risk assessments are missing Business Associate Agreements. HIPAA requires BAAs with all vendors and suppliers, so arrange to execute them immediately. BAAs are vital in spelling out roles and responsibilities of your Business Associates to ensure they align with your policies and procedures for securing patient data. You are ultimately responsible for their security safeguards as well as your own.
- Another common finding has to do with record disposal. Both hardcopy and electronic records should be disposed of securely. Dumping records in the trash is a serious violation, so be sure you know exactly how your records are being destroyed.
- Other findings may be very technical, such as lack of encryption on storage devices or poor email security. In all cases, the professionals conducting your HIPAA security risk assessment will assist you in understanding the findings and the recommended resolutions, and can also guide you in implementing the recommendations.
Compliance with HIPAA, including the Security Rule, Privacy Rule, and Data Breach Notification Rule, is mandatory for every healthcare entity and their business associates. Compliance protects your patient information (PHI and PII) from unauthorized access, cybertheft, and other data breaches. HIPAA compliance helps your doctor’s office avoid the many negative consequences of HIPAA violations.
HIPAA compliance for medical practices and doctors’ offices can be as easy as taking the five steps detailed above. Conducting the required annual HIPAA risk assessment is fundamental to achieving HIPAA compliance. While you can certainly opt to conduct this annual assessment internally, busy practices can engage the services of a professional HIPAA compliance firm to ensure the work is done promptly and thoroughly.
Watch this short video on the Five Steps to HIPAA Compliance for Your Medical Practice!
This blog post was first published in April 2016, updated in September 2018, and refreshed again for your convenience in December 2022. It is a prescription that never loses its efficacy.