HIPAA Compliance: Advice for small to medium sized medical practices

By: Rick Juarez

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, made it easier for people to maintain their health insurance, but it also addressed the confidentiality and security of Personal Healthcare Information or PHI.

In spite of being the law for 19 years, there are still a lot of questions regarding compliance. Securing a physical file is one thing, but with Electronic Records becoming the new normal, guaranteeing compliance has gotten more complex. With penalties ranging from $100 to $50,000 per violation, practices that are not proactive regarding HIPAA Compliance are at risk.

Here is a high level overview of what your practice should be doing at a minimum:

  • 1.Access Control – Access to records should be role based. Meaning only those employees who have a legitimate reason to access PHI are given access. And this access should be password protected with policies in place to change passwords frequently.
  • 2.Physical Access – Care should be taken to limit access to physical files, computers and doors to communications closets should be locked with access limited to only those employees who need to have access to those systems.
  • 3.Documentation - Processes and Procedures need to be carefully documented and training provided so that everyone fully understands the rules and what is at stake for even an inadvertent violation.
  • 4.Disaster Recovery and Contingency Planning – The practice needs to plan and document the process for backing up records and establishing a recovery plan with a well-planned infrastructure and secured offsite replication of those records.
  • 5.Battery Backups for Networks – Offices need to have batteries or Uninterruptable Power Supplies in place to protect the network from power failures. Data centers have this covered, but local resources are also important.
  • 6.HIPAA Audits – To protect the practice, policies and procedures should be reviewed and updated regularly. Audits should be performed to benchmark the practice's performance to standard on a yearly basis.

Remember that any and all breaches of PHI or security require the notification of the patients affected, notifying the Secretary of Health and Human Services, and if the breach affects more than 500 or more people in one state, the media must be notified as well.

With fines that can reach as much as $1.5 Million per violation, medical practices and their vendors need to stay up to date with HIPAA compliance. If your medical practice's IT vendor does not offer HIPAA Audits with full documentation, you need to question why, or find one that does. Your practice may just depend on it.

View all blog posts »