HIPAA Best Practices for Medical Offices

The Health Insurance Portability and Accountability Act (HIPAA) made sweeping changes to the way medical professionals do business.

The HIPAA Privacy Rule was enacted to protect patient privacy. It restricts the use and disclosure of personally identifiable information (protected health information or PHI).

Under HIPAA, the medical practitioner is bound to make practical efforts to use, disclose and request only the minimum necessary amount of PHI required for any particular task.

The Privacy Rule also allows patients rights over their health information and the right to access their own medical records.

This is serious business, and those found violating HIPAA rules may find it a costly mistake. Here is a list of HIPAA best practices for medical offices, along with ideas as to how having an IT professional on your side can be a huge benefit.

HIPAA BEST PRACTICES

• Be sure to incorporate provisions such as password protected authorization and encryption on all computers, laptops, and devices which have access to patient-specific private information. Learn more about protecting in-house data.  All desktop computers and devices should have updated anti-virus software installed, and your office systems should have adequate firewall protection.  If patient information is accessed from home devices should also be protected by anti-virus software; while all mobile devices used outside of the office should employ a VPN (Virtual Private Network) as well.
• Store all patient charts, related paperwork, and medical records in an area which is not accessible to the public, in a locked cabinet or room.  Train your staff to never leave patient information out on a desk, unattended, or in an area which can be accessed by an unauthorized person. Laying a file on the front desk while you get a cup of coffee could be a costly mistake!
• Back up all disks that contain PHI, and secure physical backups.  The best practice is likely to store patients’ information in a HIPAA compliant cloud server, so the data is safe and secure – offsite, private, and readily accessible.
• Employees should each have a unique password, and these should never be shared.
  Any programs accessing patient information should be closed and logged out of when not in use – even for a short period of time.
• E-mailing protected health information should be avoided if possible, especially if the information can be sent another way. If it is necessary to fax PHI, use a cover sheet. Social media should never be used to share patient information.
• All files containing personal health information (PHI) should be properly disposed of. Paper files should always be shredded, never simply thrown out.

The best way to avoid a compliance issue with HIPAA is to train all employees in compliance and make it a part of your office culture.

Your HIPAA best practices should include continued and regular training for every employee.

If you need help assessing your current IT environment, need recommendations as to the best way to secure your data, or would like to explore the best ways to ensure that your IT procedures are HIPAA compliant, call the experts at Alliance IT.

From securing your data in the cloud to setting up a firewall and VPN, you can trust us to protect your medical practice.