You might think you’ve done everything that needs to be done for your organization to be HIPAA-compliant. And you may be right. But you should never stop evaluating, updating and documenting your HIPAA compliance activities. Rules have been clarified, and new rules have been implemented. And what’s more, technology has changed — a lot!
Now is a great time for HIPAA refresher training. The law is tripping up all kinds of employers. This month, various news outlets have reported that AOL CEO Tim Armstrong may have violated HIPAA regs by sharing private health information during a conference call. He mentioned that two AOL employees had babies who required expensive medical care. Johnson said the high cost of treatment for those newborns affected the company's decision to make cuts to its 401(k) plan.
How can employers make sure they're not saying too much? What are some best practices for HIPAA compliance in general? The following basic tips will help ensure that your HIPAA compliance is up-to-date and accounts for the myriad changes in technology and information facing your business.
HIPAA Refresher Training: Back to Basics
To kick off your HIPAA compliance refresher, start by reviewing your basic compliance obligations, including:
1. Determine whether you are a covered entity under HIPAA. CMS has published a decision tool to help you make this determination.
2. Appoint a privacy officer and a security officer, if appropriate.
3. Analyze and document all types of protected health information (PHI) and e-PHI and assess potential risk to this information.
4. Maintain, review and update policies and procedures, including the notice of privacy practices. (We think Tim Armstrong could have benefited from this tip!) HHS has recently published updated Notices that are compliant with the recent Omnibus Rule including a Notice that is specifically intended for use by a Health Plan as opposed to a Health Provider.
5. Identify employees with access or who may get exposed to PHI and train them on policies and procedures at least once a year.
6. If you engage a business associate, make certain you have a business associate agreement in place. Make sure that the business associate agreement addresses security issues, as well as breach notification issues.
7. Develop processes and procedures to identify a breach, notify affected individuals, and maintain a breach log.
Best Practices for Protecting Your Data
Above all, protect your data. Look for changes in technology (smart phones, tablets, and other portable devices) since your last HIPAA compliance review. Make sure:
1. All data that contains PHI is transmitted and stored in accordance with HIPAA standards and transmitted over a secure connection. Data encryption is vital for laptops, tablets, and other portable devices. When retiring hard drives, backup media, or tapes, make sure to use a service that certifies permanent destruction.
2. Keep business associate agreements current, and always include provisions for subcontractors in your agreements. With the recent passage of the HIPAA Omnibus Rule, Business Associate agreements should have been updated by September 23, 2013. However, any BA Agreement that were in place (and compliant) as of January 25, 2013 and not modified after March 26, 2013, must be updated prior to September 23, 2014. HHS has published updated Business Associate provisions.
3. Enforce a password policy that includes regular password changes and requires complex passwords containing a mix of numbers, characters, and letters.
4. Conduct regular audits of electronic access and inform employees of your intention to do so.
5. Lock up any papers and documents containing PHI or other sensitive data. Sensitive records should be printed only when absolutely necessary and only by those who need them. Paper records containing PHI should never be thrown out; they should be destroyed in accordance with HHS standards.
6. Develop a breach response plan that outlines how you will respond to a suspected or actual privacy or security breach.
7. Clearly communicate your expectations and requirements with regard to laptops and portable devices or any device that will connect to a location where ePHI data are located.
8. Make sure devices that connect to your network (including mobile devices and phones) have appropriate patches and protection installed; many breaches can be prevented by basic patching.
Finally, please note that, in addition to updating existing BA Agreements, there is another HIPAA deadline approaching in 2014. Health Plans (other than small health plans) must register for, and obtain, their unique Health Plan Identifier (HPID) by November 5, 2014. Small plans have until November 5, 2015. Click here for additional information about the HPID process.
These checklists are for basic informational purposes only and should not be considered a complete description of your organization’s requirements under HIPAA. Please consult appropriate legal counsel or your HNI Relationship Manager for a more complete review of your rights and responsibilities under HIPAA.
DISCLAIMER: We hope this blog post gave you an "Aha!" moment, but please don't hold it as legal or tax advice. This information is general in nature, and your specific situation deserves attention from a dedicated legal or tax advisor.