7 HIPAA & HITECH Best Practices: Does Your Workplace Comply?
Even though privacy laws are in place to protect personal health records, 90%of healthcare organizations that participated in the 2014 Fourth Annual Benchmark Study on Patient Privacy & Data Security still experienced at least one data breach in the past 2 years. In fact, data breaches continue to cost some healthcare organizations millions of dollars every year.
While criminal attacks, employee negligence, unsecured mobile devices, and the Affordable Care Act were cited as the main threats to information security, the study also found that healthcare organizations are not always in compliance with privacy regulations.
In the U.S., the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) are the federal healthcare-specific privacy laws. Compliance is mandatory.
HIPAA regulations stipulate that healthcare organizations put safeguards in place to prevent intentional and unintentional breaches of all forms of personal medical records and other health information.
Enacted in 2009, HITECH tightened regulations and added larger penalties, inclusion of business associates (they have to comply too), and mandatory breach notification.
Below are some key points to keep in mind regarding HIPAA & HITECH:
- Stay informed. According to the Patient Privacy & Data Security study, personnel in less than half (46%) of organizations are actually knowledgeable about HITECH and other data breach notification laws. How to stay informed? Partner with companies that are committed to information security, and access resources such as the U.S. Department of Health and Human Services.
- Establish a security plan. HIPAA requires workplaces to have safeguards in place to ensure the privacy of PHI (protected health information). A formal security policy will set the necessary tone in the workplace and provide guidance against all breach risks.
- Educate and enforce. Research has shown that employee negligence is considered the biggest security risk. Information security training should be on-going and include circulated and posted information as well as webinars and seminars such as lunch and learn sessions. Industry experts recommend monitoring compliance efforts too.
- Limit access. ‘Access governance’ topped the list (at 76%) of the most important data security technologies for protecting confidential information in The Human Factor in Data Protection report. Ensure PHI and EPHI (electronic PHI) is available only to employees that need to know the information to do their jobs. According to HIPAA, business associates must also limit information disclosure according to privacy rules.
- Create a retention policy. A document retention program is the systematic identification, categorization, maintenance, review, retention, and destruction of workplace documents. This helps a workplace avoid breaches of information that should have already been destroyed. Here is more information.
- Eliminate risk where possible. When it comes to document shredding (when information is no longer needed), a ‘shred all’ policy is recommended. Employees don’t have to decide what is or isn’t confidential because all documents go into the shredding container for destruction.
- Secure document destruction. Secure disposal of PHI in all forms is a HITECH requirement. Partner with a knowledgeable shredding company that provides a secure chain of custody with locked consoles for documents, security-trained personnel, on or off site shredding services, hard drive destruction, and a certificate of destruction after every shred.
Learn more about HIPAA and HITECH and how to stay compliant.