HIPAA compliance: Part 2 -- 3 things you can do today

2016 08 23 10 18 13 222 Broudy Jeff 400

Part 1 of this series discussed five important requirements of HIPAA compliance. Part 2 discusses some simple steps your practice can take to address these issues.

As it is likely that U.S. Department of Health and Human Services Office of Civil Rights' HIPAA requirements (and greater scrutiny) will most likely continue for the foreseeable future, it's up to you to make sure you have assembled the right team to address your key vulnerabilities. Here are three easy steps you can take today.

1. Take the mandatory HIPAA risk assessment

Jeff Broudy is the founder and CEO of the HIPAA-compliance firm PCIHIPAA. Image courtesy of PCIHIPAA.Jeff Broudy is the founder and CEO of the HIPAA-compliance firm PCIHIPAA. Image courtesy of PCIHIPAA.

Every practice's first priority when considering HIPAA compliance should be to take a mandatory HIPAA risk assessment. Just by answering the questions, you'll learn the types of safeguards HIPAA is now requiring from your practice.

2. Properly use encryption services and password security

Your information technology (IT) department or partner can't be responsible for everything, but it certainly can help. First, IT can install an offsite data-backup solution and test its system for restoring data in case of an emergency. The solution should also include point-to-point encryption to safeguard protected health information (PHI).

Second, it can ensure effective email encryption. When sending PHI electronically, everyone in the practice should be using email encryption and an email exchange service, such as Microsoft Exchange. Many practices still use a free email service (Gmail, Yahoo, or AOL, for example), but these services are free for a reason.

Finally, IT should help make sure workstation passwords are secure, complex (a minimum of eight characters with at least one number), and updated at least every six months.

3. Obtain asset protection

“The only way to successfully meet all of HIPAA's safeguards and adequately protect your practice is to designate a leader in your office.”

It's unrealistic for a small to midsize practice to be 100% compliant and protected. You need to spend your resources running your practice, not dealing with HIPAA compliance. However, you can obtain data breach coverage (which usually is not covered under your general liability policy). Data breach coverage will provide peace of mind in case a breach or audit occurs and will help provide financial indemnity so you can keep your practice operating smoothly.

Placing all the HIPAA compliance burden on your IT professional is not only misguided, but also potentially harmful. The only way to successfully meet all of HIPAA's safeguards and adequately protect your practice is to designate a leader in your office. This person should identify all key requirements, work with a team of experts to address your practice's key vulnerabilities, and define roles and responsibilities to correct them.

There are simple, inexpensive steps you can take today.

Jeff Broudy is the founder and CEO of PCIHIPAA, which offers HIPAA compliance and data security solutions to small and midsized medical and dental practices. Take its HIPAA risk assessment.

The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.

Page 1 of 546
Next Page