By: Shimon Brathwaite
June 21, 2021
10 Tips For Being HIPAA Compliant
By: Shimon Brathwaite
June 21, 2021
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law that protects patients' privacy by prohibiting certain uses and disclosures of Personal Health Information (PHI). This is any health-related information that can be linked to any person. HIPAA affects any institution that collects, processes or stores PHI, even if it collects PHI on behalf of another company. Failure to comply with HIPAA regulations can result in heavy fines and potentially a suspension of your business. To help you understand your obligations, here are ten tips for being HIPAA compliant:
1) Always Receive Consent
You must always receive consent before collecting any PHI from your patients. This is important for HIPAA and any other privacy regulation. Modern-day privacy regulations want to ensure that people know when their information is being collected and its purpose. Therefore, it is best to obtain consent whether you collect the information in person or online. Make sure you inform the person of the reason why you are collecting the information.
2) Have The Proper Security Controls In Place
Another important aspect of HIPAA is ensuring that you have the appropriate security measures to protect any PHI that you collect. This includes encryption, password policies, access management, and technical controls such as firewalls to protect from intrusion from outside the company.
3) Keep PHI On A Need To Know Basis
PHI information should only be supplied to employees who need it to perform a legitimate business function. You must put the proper access controls to ensure that people are only given access to patient information on a need-to-know basis. Also, this should be audited periodically to ensure that if an employee were granted access to PHI but no longer needs the access, the employee's access to PHI would be removed quickly.
4) Audit Third Party Vendors
If you use any third-party vendors, you must make sure that they are compliant with HIPAA regulations. If you share any information covered under HIPAA with a third-party vendor, you are still responsible for handling that information per HIPAA regulations. You must receive confirmation and proof from your third-party vendors that they are handling the data properly.
5) Be Careful Storing Information In The Cloud
If you store information in the cloud, you need to make sure your cloud service provider is HIPAA compliant. This doesn't just mean technical security controls and access management but also protecting the physical server that your information is stored on. Many people forget that if the information is stored in the cloud, it is still a physical server that needs to be protected. One way people do this is to request live access to a camera feed of the server or, more simply, they request a list of people who have access to it and for what purpose.
6) Update All Software
The easiest way to protect against security vulnerabilities is by keeping software updating. Keeping all of your software updates will be much easier to pass security assessments and demonstrate due diligence to protect your patients' information.
7) Have Data Backups
You should keep regular backups of your patient's PHI and ensure that where it is being stored is secure and in compliance. Even if it is an offsite backup, it should be treated like any other system you own and kept in compliance with HIPAA regulations.
8) Training Your Employees
You should make sure that you train your employees on proper ways to handle HIPAA-sensitive information. The training should discuss disclosing PHI to other employees, locking sensitive documents, and shredding confidential information when it is no longer needed.
9) Use Physical Controls
Protecting electronic information should not be your primary focus. It is important that you also physically secure any documents that contain PHI with the proper locks and access controls.
10) Perform Security Testing
HIPAA requires that organizations test their security controls to prove that they are functioning and effective. Having a Red Team security testing done is always a good thing. This includes both a penetration test for emulating cyber threats and physical red team exercises to test physical security. Please see the full guide "HIPPA Security Rules Explained" under the HIPAA Security Rules section to learn more.