The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed more then 15 years ago but the education process is continuous. There were 10 penalties handed out in 2019, totaling more than $12 million in fines.
The ever-changing regulations for privacy and security are complicated, and not knowing the rules is no excuse in the eyes the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).
Here’s what you need to know about HIPAA in 2020, and your up-to-date compliance checklist.
View this article as an infographic here.
The HIPAA Timeline
Here’s a recap of healthcare IT laws and updates that began on August 21, 1996, when HIPAA was signed into law.
April 14, 2003: HIPAA Privacy Rule – Following the passage of HIPAA, lawmakers set out to determine privacy and security rules. This rule set privacy standards on health information for health plans, health care clearinghouses, and health care providers.
April 21, 2005: HIPAA Security Rule – The security rule established three levels of protection for electronic private health information (ePHI): administrative, physical and technical.
March 2006: Enforcement Rule – After widespread HIPAA negligence, the enforcement rule set the expectation that the ONC would be begin fining providers for compliance violations.
February 17, 2009: Health Information Technology for Economic and Clinical Health Act (HITECH) – HITECH created more robust laws and approved billions of investment dollars to facilitate the use of electronic health records (EHR).
2009/2010: Meaningful Use Incentive Program – Stimulus money incentivized healthcare organizations to use EHR if they followed proper protocol for handling ePHI.
September 23, 2009: Data Breach Notification Rule – This stipulated that any data breach affecting more than 500 individuals must be reported to HHS within 60 calendar days.
March 26, 2013: HIPAA Omnibus Final Rule – This law filled in gaps of HIPAA and HITECH, for example, setting clear encryption standards for ePHI.
2019/2020 Update: Despite speculation, there has not been significant HIPAA-related legislation since 2013. However, the OCR sent out a request for information to healthcare providers about HIPAA rules and enforcement. Comments closed in February 2019, expect changes to occur based on this feedback in the coming years.
1) Password protect and encrypt all ePHI
Electronic Protected Health Information (ePHI) isn’t just test results and medical records. It’s anything that identifies a patient, including his or her name, address, phone number, birthdate, social security number, photographs and more. Keep ALL ePHI safe and confidential to avoid fines and penalties based on HIPAA.
You wouldn’t leave an open file on your desk, where anyone could come by and read it, and you cannot leave electronic records susceptible to snooping. Keep your ePHI strictly on systems where passwords are required, and file encryption is possible. Many operating systems have encryption technology built right in, such as BitLocker from Windows or FileVault from Mac.
If you’re using practice management software, make sure it’s secure. For example, ClinicSource has built-in SSL encryption, password protection and robust security auditing so all patient data is locked down.
2) Keep an offsite backup of electronic files
The “physical” component of the HIPAA Security Rule mandates that all ePHI must be securely backed up off-site in case of disaster. The Data Backup and Disaster Recovery Specifications are very clear: you must securely back up “retrievable exact copies of electronic protected health information,” which must be completely recoverable. Non-compliance penalties can cost up to $1.5 million.
There are services that offer remote data storage and backup. Whichever service you choose must encrypt data before it leaves your office.
ClinicSource handles all encryption and backup functions automatically and securely, with multiple data centers where ePHI is always safe and recoverable.
3) Have a BAA in place with all vendors that handle your ePHI
A Business Associate Agreement (BAA) is a contract between a covered entity (such as your clinic) and a business associated with it (i.e., a vendor), which safeguards protected health information in accordance with HIPAA guidelines.
“I keep my patient records in the cloud on Google Drive, that’s ok, right?”
Unless you have a signed BAA from Google, you are in violation. An updated Business Associate Agreement must be in place with each external party that is hosting or has access to ePHI.
If you don’t have a BAA in place, reach out to the vendor and ask them to sign one. If your vendor is unwilling to sign a BAA for whatever reason, find a new vendor! If you don’t have a standard BAA, you can find templates online, but your safest course is to deal with vendors who know how to protect you.
Clients who sign up with ClinicSource are provided with an executed BAA as part of their service agreement.
4) Don’t send ePHI via regular email
Scenario: You need to get an authorization for treatment.
As part of the process, you need to send a copy of the evaluation record over to the referring physician for signature. Don’t email it unless the evaluation file has been encrypted and password protected. How do you do that? Convert the file to a PDF and then password-protect the PDF.
With ClinicSource, any patient records, including evaluations, can be securely emailed directly from the software.
5) Maintain an audit trail
Without warning, the OCR could issue a HIPAA compliancy audit of your ePHI policies and protocols. A massive amount of data will be requested with a few days of notice. You need to be ready, or you could face enormous financial penalties.
You could set up your own audit policies and manually track precisely which therapists and back office personnel access or modify records and when. That is risky, cumbersome and far from foolproof. Producing the required written reports on short notice could be a time-consuming nightmare that turns your clinic upside down.
Designed by therapists, ClinicSource was built from the ground up with complete auditing and reporting capabilities, so you always know who accessed what and when. In the event of an audit, you have access to robust reporting at the click of a button.
6) Use ONC–Certified Practice Management Software
The Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program was created to review standards, implementation, and certification criteria set by the HHS secretary.
It launched in 2010 to provide oversight and health IT developer accountability. The goal is to protect public health and safety while supporting providers and hospitals.
If your clinic is ever audited, the Centers for Medicare & Medicaid Services (CMS) is going to ask what software you use, and whether it is ONC certified. Furthermore, if you choose to pursue meaningful use incentives, ONC-certified software is required to gain any benefit from the EHR Incentive Programs.
If you’re using an EHR/EMR, check to see if it’s ONC–certified. ClinicSource has been ONC-ACB certified since 2014. Read more about our certification here.
Avoid costly fines and criminal charges by protecting ePHI with an ONC–certified practice management system like ClinicSource. Encrypt and password-protect sensitive data, keep backups offsite, handle BAAs, send secure communications and keep an audit trail.
Schedule a Free Demo to learn more, or call (888) 215-4527.