A failure to understand HIPAA requirements can be a very costly mistake, as CardioNet learned just a couple months ago. In April, the wireless health services provider agreed to a settlement of $2.5 million for a potential noncompliance with the HIPAA Privacy and Security Rules. (1) The violation occurred when a company laptop containing the ePHI of 1,391 individuals was stolen from an employee’s vehicle parked outside their home. The Office for Civil Rights (OCR)’s investigation revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. In addition, the company’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. CardioNet was also unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. (1)
“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected. (1)
Most HIPAA violations can be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring all individuals with access to patient information receive the proper training. Below are ten best practices for keeping your practice HIPAA compliant.
10 Best Practices for HIPAA Compliance
- Implement safeguards such as password protected authorization and encryption to access patient-specific information on all computers, laptops, and devices.
- Practices should keep all patient paperwork, charts, and records locked away and safe out of the public’s view. Never leave patient information out or unattended.
- Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
- Ensure all computers have updated anti-virus software installed. This will help keep a practice guarded against malicious software.
- Limit emailing PHI if the information can be sent another way. When faxing PHI, always use a cover sheet.
- Always properly dispose of information containing PHI by shredding paper files.
- Make sure employees are aware that using social media to share patient information is considered a violation of HIPAA law.
- If patient information is being accessed at home, ensure all home computers and laptops are password protected.
- Back up all disks that contain PHI. Store patients’ information in a HIPAA compliant cloud server.
- Compliance training is one of the simplest ways to avoid a violation. Practices should provide ongoing, up-to-date training on the handling of PHI for all employees.