medical and dental office staff staying hipaa compliant oregon washington

How to Stay HIPAA-Compliant

Following the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all healthcare organizations dealing with protected health information (PHI) must adhere to specific regulations.

These regulations encompass a lot of areas, including employee training standards, physical security, access protocols, and cybersecurity measures. If your organization is found to be negligent or experiences a data breach, the financial and legal penalties would be hefty. Moreover, you can lose client trust and reputation.

Important HIPAA Rules You Should Know

Compliance with HIPAA mainly concerns these four different rules:

  • Privacy Rule: Defines how protected health information (PHI) should be used and disclosed by the covered entity.
  • Security Rule: This includes all physical, technical, and administrative safeguard standards you must apply to secure PHI.
  • Breach Notification Rule: Consists of guidelines on how you should report data breaches, who to inform, and when to do it.
  • Omnibus Rule: An added rule to HIPAA that mainly defines the extent of how a covered entity’s business associates can deal with PHI.

There’s also the HIPAA Enforcement Rule, which simply defines the various ways you can violate the act as well as the corresponding penalties you might receive.

HIPAA Compliance Checklist

By understanding the main HIPAA rules, you should be able to know what you need to do to comply. We summed up these HIPAA compliance steps for you below:

1. Assess Risks Annually.

Performing risk assessments with an HIPAA consulting expert allows you to pinpoint where your security measures might be lacking. It also lets you review your privacy policies, find outdated technology, and ensure that your HIPAA compliance is on track.

More than just a recommendation, risk assessments are actually required by HIPAA. You can use the Security Risk Assessment Tool released by the HHS Office for Civil Rights to perform this. Of course, if your business has the means and is relatively large, it is always better to have an expert consultant do the risk analysis for you.

2. Do Frequent Testing of Cybersecurity Measures.

Information technology has undergone rapid development over the past decade, and this includes methods for accessing secured data using illegal means. Others can suddenly launch malicious attacks on your systems, so having good cybersecurity measures is a must.

One way to do this is to conduct penetration testing regularly. Enhancing the firewall and encryption techniques employed on your IT system would also be great. Check for loopholes that can be exploited by others and patch up as many of them as possible.

3. Conduct Regular HIPAA Compliance Training.

Contrary to expectations, HIPAA violations happen more frequently due to internal mistakes and misdemeanors by employees handling PHI. Some may gossip about sensitive protection outside work hours or in the presence of irrelevant personnel. Others might disclose information without written consent.

Conducting regular training for your employees ensures that they don’t forget the policies you set. Workforce training for these protocols is also part of HIPAA requirements.

Note that training may vary depending on the industry. For example, you might need specialized dentistry HIPAA training if you’re in the field of dental care.

4. Review Business Associate Agreements.

If you need to disclose and share protected health information with a third-party partner, you must enter into a business associate agreement (BAA) with them. The BAA outlines the extent of permissible uses of PHI by your business associate, together with how they must destroy it when the agreement ends.

5. Establish Detailed Documentation Practices.

To ensure HIPAA compliance, meticulous documentation is key. This involves keeping records of policy and procedure revisions, tracking attendance at compliance training sessions, and recording all entities with whom PHI is shared.

These documents would be handy in the event your company is selected for an OCR audit. They will ask for these records, including any possible incidents of data mishandling, to check whether you have violated any rules under HIPAA.

Aside from external audits, keeping records of your HIPAA compliance plan also gives room for analysis. You can look at these records to identify security gaps, to which you can quickly respond due to early detection.

6. Report Any PHI-Related Breaches Immediately.

The HIPAA Breach Notification Rule mandates that you promptly report any incident involving PHI breaches. To be specific, your organization must:

  • Submit a breach report to the Secretary of Health and Human Services within 60 days of discovering the breach;
  • Notify all individuals affected by the breach within the same timeframe;
  • Update the local media in case the breach affects more than 500 people.

Aside from the report, you must document how you responded to the breach. Be as detailed as possible with the documentation.

The OCR will conduct an investigation should a breach occur. Present what you found in your own investigation so that the matter can be resolved as quickly as possible.

Consult With the Experts

Staying compliant with HIPAA is a challenging feat, especially with the ever-changing landscape of protected health information and IT. If your organization is lucky enough to be picked for a random OCR audit, any detected violation could result in a loss of HIPAA compliance.

At Physician’s Resource, we offer comprehensive HIPAA compliance consulting. Our experts can help you identify the vulnerabilities and gaps in your current HIPAA practices. Coupled with the ability to determine your weaknesses, we are also capable of helping you patch them up.

Let’s discuss your HIPAA plans and ensure you stay compliant in the future. Give us a call at 1-800-615-1729, and our team of specialists will be ready to assist you.

patient filling out form with protected health information phi hipaa protected

What Counts as Protected Health Information (PHI)?

Protecting sensitive patient information has become more important than ever due to recent IT advancements and associated risks such as hacking and malware.

Massive penalties await healthcare companies like you if the protected health information (PHI) you handle is breached and leaked. In addition to seeking HIPAA compliance consulting, proactively knowing what counts as PHI is a crucial matter that deserves your utmost attention.

What Is Protected Health Information?

As defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protected health information refers to any information that:

  • Concerns the health status of an individual, such as their health records;
  • Is created, received, or shared by a covered entity and its business associates;
  • And can be traced back to and associated with an individual patient.

PHI is personally identifiable information, including demographic data, insurance details, and medical history, necessary to provide proper healthcare to an individual.

If stored, managed, and/or transmitted using electronic means, this information is referred to as electronic PHI (ePHI). This includes all PHI stored on external hard drives, removable storage media, personal computers, cloud systems, and more.

Why Is It Important to Secure Protected Health Information?

HIPAA-related data breaches come with hefty fines. For a single accidental violation, the fines can go from $100 to $50,000, depending on the severity of the case. If it’s due to willful neglect, you receive a fine of $50,000 directly for a single violation. The yearly maximum is $1.5 million.

Another implication of PHI is that it can be linked to a person. Should it be leaked and accessed by someone with malicious intent, there might be unimaginable consequences, including identity theft, stigma, discrimination, and embarrassment.

That’s why covered entities and their business associates are required to ensure that PHI is only known to those people directly related to a patient’s healthcare.

According to the law, covered entities include health plans, healthcare providers, and healthcare clearinghouses. They may work with business associates, which are service providers that may need access to PHI.

18 PHI Identifiers Under HIPAA

HIPAA highlighted eighteen (18) marks that covered entities must pay particular attention to. These are personally identifiable, and when used together with healthcare documents and data, they can be considered PHI.

  • Name
  • Geographical identifiers smaller than a state, such as street address, city, and ZIP code
  • Dates directly associated with an individual (except years), such as birthdate, death date, and exact age
  • Phone number(s)
  • Fax number(s)
  • Email address
  • Social Security number
  • Medical record number(s)
  • Health plan beneficiary number
  • Account number(s)
  • Certificate or license number(s)
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URL(s)
  • IP addresses
  • Biometric data, including retinal, finger, and voice prints
  • Photographic images
  • Other unique identifying numbers, characteristics, or codes that can be linked to an individual

In any form of communication concerning a person’s healthcare, all information shared would be considered “identified” if it contains even one of these 18 HIPAA identifiers.

Covered entities must be very careful when handling PHI, especially when it can appear on common documents and channels like the following:

  • Emails
  • Health-related examination results, such as MRI scans and blood tests
  • Phone and fax history
  • Appointment records
  • Billing details

What Is Not Considered PHI?

Technically, any health information that lacks the 18 identifiers listed above is not considered PHI. In other words, it cannot be traced back to any individual who received healthcare.

Health information concerning people who have been deceased for 50 years or beyond is also not considered PHI anymore.

If you want to use existing PHI for specific purposes, such as research and marketing, you must first de-identify it. Under the HIPAA Privacy Rule, de-identification is the process by which you remove all 18 identifiers from the PHI.

Once stripped off, a qualified statistician will check the information to ensure that it is not linked to the individual.

Keeping PHI Secure

The HIPAA Security Rule mandates that all covered entities make an effort to keep protected health information secure at all times. There are three HIPAA requirements and security standards for compliance, including:

  • Administrative safeguards, including the protocols, policies, and procedures for accessing PHI, medical HIPAA training
  • Physical safeguards, such as control over data storage locations and other IT equipment
  • Technical safeguards, including encryption techniques, secure transmission of PHI, and other cybersecurity measures

At Physician’s Resource, your reliable HIPAA consulting provider, we understand how challenging it is for any healthcare and insurance provider to keep up with these safeguards. With our experience in digital security and compliance, we’re here to help—both in securing PHI and in Oregon HIPAA audit protection.

Together with our experts, let’s ensure that you keep your PHI secure and minimize the risk of violating HIPAA. In turn, you can avoid hefty fines, whether legal, social, or financial. And more than that, you successfully protect the privacy and security of your clients.

Call us at 1-800-615-1729 today and talk with our veteran compliance specialists for HIPAA audit help.

 

How to avoid hipaa violations clipboard with fine

Common Ways You May Be Violating HIPAA

Many companies in the healthcare industry, including you, might be violating HIPAA regulations in one way or another. If the Office for Civil Rights detects these violations during audits, you’re in for hefty penalties—both legal and financial.

HIPAA standards are challenging to follow as they evolve continuously. This makes it similarly harder to keep up with the latest violations. While you should be able to avoid these mistakes with HIPAA compliance consulting, getting to know what you might be neglecting allows you to be more proactive.

1. Lack of Proper HIPAA Training

As a covered entity, training your employees on the various standards, regulations, and policies required by HIPAA is a must. This ensures that they don’t mishandle protected health information. In fact, medical HIPAA training for your workforce isn’t just recommended—it’s mandated by the law.

2. Leaving Records Unsecured

While medical HIPAA training takes effect, there may still be cases where members of your staff fail to follow set protocols. For example, they might leave physical files lying on desktops when they should’ve been properly locked inside a secure filing cabinet.

For electronic PHI (ePHI), you should ensure that it’s secured with passwords to prevent unauthorized access, on top of file encryption. If you want to share them with relevant bodies, you are required to use encrypted channels, too.

Negligence in these technical aspects is a direct HIPAA violation.

Depending on the state where your business is located, some laws may also mandate encryption for ePHI. Make sure to check local regulations, such as the Washington HIPAA requirements, on top of the common standards to ensure you minimize the risk of violations.

3. Gossiping About Protected Health Information

Discussing PHI in person in the presence of unrelated personnel constitutes another HIPAA violation, whether unintentional or not. Unless there is collaboration for a patient’s treatment, PHI must only be shared with staff directly involved with the patient’s healthcare. Even these collaboration talks must be kept behind closed doors.

4. Being Unprepared for Cyberattacks

There’s no telling when cyberattacks, such as malicious hacking and viral invasions, will occur. Those with bad intentions can use protected information for crimes like identity theft, making it important for healthcare providers to protect against them vigorously.

Ensuring that your digital systems are always ready for such cases is another requirement of HIPAA. This falls under the technical safeguard requirements of the HIPAA Security Rule, which states how you should protect sensitive patient data.

To prevent this kind of HIPAA violation, strengthening your cybersecurity measures goes right on top. Here are a few basic ways to achieve this:

  • Ensure that your digital systems and software are up-to-date.
  • Always use firewalls configured to resist such attacks.
  • Create hard-to-crack passwords and implement regular password changes.
  • Encrypt your ePHI.

Some healthcare providers contract with expert IT firms to safeguard their ePHI. If you choose to follow suit, you must sign a business associate agreement with the service provider, which should outline how they must keep ePHI private and interact with it.

5. Third-Party PHI Disclosure

You should only discuss and share protected health information with relevant people—the patients, their doctors, their health insurance, and others as needed. Discussing it with any other party directly violates the rules and regulations set forth by HIPAA.

Staff might mistakenly share another patient’s data. While there seems to be no bad intent here, the fact is that they shared PHI with a third party. Hence, it will incur the necessary penalties.

If you need to share PHI with your business associates, they must enter into a business associate agreement (BAA) with you (as mandated by HIPAA). The BAA would clearly define the extent of permissible uses and disclosures of the information.

It’s also important to train your staff to always get clearly printed consent in case they need to share PHI other than healthcare treatment and payments, like for legal purposes. Establish clear and effective policies too, so that they don’t share PHI without the approval of the patient, even if it’s the patient’s family.

6. Improper Disposal of PHI

When it’s time to dispose of protected health information from your archive, make sure that you do it thoroughly. This way, you don’t allow those with malicious intent to restore any identifiable data about your patients. In the event that they access sensitive information, it would count as negligence on your part.

If you deal with physical PHI—documents, printed health records—make sure to have them shredded. On the other hand, you must also ensure complete deletion from physical storage media (like the hard drive) when disposing of ePHI. More of these techniques would be known to you by getting HIPAA audit help.

Work With the Best Compliance Consulting in Oregon

HIPAA regulations evolve continuously as they adapt to the data technology advancements we have today. Similarly, keeping up with these standards to stay compliant has become more challenging than ever.

But you don’t have to do it alone. That’s why HIPAA consulting experts like us exist.

Our team at Physician’s Resource brings decades of experience to help you identify vulnerable points where your business might fail to stay HIPAA-compliant. And we’re here to help patch them up.

Give us a call at 1-800-615-1729 and talk to our compliance specialists today. Let’s get your HIPAA practices well-maintained and keep violations and penalties at bay.

Medical office practicing infections disease control regulations osha

All About Infectious Disease Control

People who work in the healthcare sector are often exposed to a wide range of infectious agents, from TB and MRSA to influenza and COVID-19. This is true whether they have face-to-face interactions with patients or perform ancillary tasks in a laboratory and other similar settings.

So if you run a medical, dental, or even veterinary practice, you cannot focus solely on providing high-quality patient care. You should also pay attention to the safety of your staff from exposure risks, whatever type of work they perform.

That said, diversity in the workplace settings of healthcare workers makes it more difficult to create and implement the necessary safety measures. The good thing is that you are not on your own, as OSHA is with you in every step of your safety journey.

Regulations

OSHA, or Occupational Safety and Health Administration, is a large regulatory agency tasked to ensure that workers have access to “safe and healthful working conditions.” It has clear and actionable standards that business owners and medical practitioners have to comply with to protect their staff.

When it comes to the transmission of infectious agents, OSHA has a number of directives designed to help reduce the risks for occupational exposure. Here’s a close look at some of them.

Standard for Bloodborne Pathogens

In the context of workplace safety, the term “bloodborne pathogens” applies to microscopic organisms that can be found in human blood and have the potential to cause diseases upon exposure.

There are three major ways that these pathogens can spread:

  • Direct contact, where infected blood enters the body of a health worker
  • Indirect contact, like when an object contaminated with infected blood touches the skin of the health worker
  • Respiratory droplet transmission, where the health worker inhales droplets expelled via cough or sneeze

Exposure to bloodborne pathogens comes with a long list of possible diseases, but the biggest risks are hepatitis B and HIV. To protect your employees, you must comply with the following OSHA requirements.

1. Establish and Implement an Exposure Control Plan

The first step in protecting your employees from infectious diseases is to have a robust exposure control plan in place. This system should include a list of job classifications that are vulnerable to exposure and outline the steps they need to take in case they do get exposed to bloodborne pathogens.

2. Observe Universal Precautions

Universal Precautions is an approach to infection control where you and your workers handle human blood and other body fluids with extreme care as if they are infected with HIV, hepatitis B, and other diseases.

3. Engineering Controls and PPE

Employers must identify, evaluate, and administer effective engineering controls and work practices to isolate or remove bloodborne pathogens, such as containers for the disposal of needles and other sharp instruments, using self-sheathing needles, or implementing a needleless system in the workplace.

If there are risks that cannot be removed by these measures, make sure that your staff has access to the appropriate PPE.

4. Hepatitis B Vaccination and Post-Exposure Evaluation

OSHA states further that employers are supposed to make hepatitis vaccinations available to their employees at no cost to them. Also, in case of exposure, the employer should provide the necessary laboratory tests to the employee for free.

Standards for Personal Protective Equipment

Aside from ensuring that your staff is wearing PPEs designed specifically for bloodborne pathogens, there are other PPE standards that you need to be aware of so you do not run afoul of OSHA’s safety guidelines.

For instance, gloves, safety glasses, coveralls, full-body suits, and other pieces of equipment must be properly designed, made, and stored. On top of this, the PPEs must fit the wearer properly to ensure they are adequately protected and not dangerously exposed.

Finally, your employees must be trained on how to use the PPEs properly. They must know what to wear and when to wear them. They must also be aware of the limitations of the equipment and use it only as designed.

Standards for Respiratory Protection

Similar to the OSHA standards for bloodborne pathogens, employers are expected to come up with engineering and administrative controls to ensure that breathing air in the workplace is free from droplets and infectious agents that are airborne. Some of the common examples are general or local ventilation, enclosure of the affected work area, or using less toxic materials.

Additionally, if this approach does not eliminate all the issues, employees must have access to the appropriate respirators depending on the risks present in the workplace.

Consulting and Training Services

OSHA’s guidelines for controlling infectious diseases in the healthcare sector are comprehensive. It might be a bit much for medical practitioners or business owners like you to manage on your own. The good thing is that there are companies that can help you guarantee the safety of all employees in the workplace.

At Physician’s Resource, we provide OSHA compliance training and consultation to help you keep up with the agency’s constantly-evolving safety standards. We have a team of safety specialists ready to provide on-call advice and support, ensuring that you are audit-ready at all times.

Call us at 1-800-615-1729 to schedule a free consultation with one of our experts today!