The Do’s and Don’ts of HIPAA Compliance
If your company has a long history of working within the medical world, then there’s a good chance that you have a deep-seated understanding of the Health Insurance Portability and Accountability Act (HIPAA). The rules, which were passed by Congress back in 1996, were put into place in order to protect patients’ coverage and personal information, as well as reduce the instances of healthcare fraud.
But if your company is still in the early stages of branching off into healthcare-related services, or you just want a refresher course, you may not be as familiar. For those in need of some brushing up, we thought we’d share a list of some of the biggest do’s and don’ts to make sure you’re staying compliant when handling such sensitive information.
First and foremost, it’s of the utmost importance that you know exactly what is considered protected health information (PHI). Examples include names, addresses and contact information, social security numbers, medical record information, personally identifying dates (birth, death, appointments, etc.), and photographs. If you’re unsure whether something qualifies, your best bet is to err on the side of caution and treat it as though it does.
If you need to have a discussion about a patient of yours with someone else, make sure that person is authorized and that you aren’t doing it in a public setting. Instead, find a private setting to do so and avoid the potential that anyone else overhears what’s being discussed.
Keep your login information to yourself. Under no circumstances should you ever share this information with anyone else, even if it’s a colleague that you trust. Along the same vein, never write down this information even as a personal reminder for yourself. In both situations, it constitutes a breach of security and counts as an infraction.
Never leave patient information in plain sight. This means that, whether you’re at the back office or in the field, don’t leave your devices unlocked and able to be seen by anyone else. It doesn’t matter if you’re stepping away for 20 minutes or 20 seconds.
When patient PHI and ePHI retention periods expire and you are no longer required to hold onto this information, if you choose to dispose of the records, you must be sure they are fully destroyed. Hard copies must be shredded, pulped, or incinerated, while electronics must be securely wiped or the device on which the ePHI is stored can be destroyed, if need be.
If your patients want access to their own records, it’s your responsibility to provide them within 30 days of their request. If patients choose to share this information with other entities, that is at their discretion, but denying them the right is a violation and can result in hefty fines.
Implement software that truly supports HIPAA compliance. The Vault tier of our Encore software allows you to collect sensitive customer information and transmit it to your back office with complete end-to-end data encryption. We even brought in third-party experts for an additional layer of vetting to help make sure we covered all our bases and confidently stand by our ability to keep your client information safeguarded.
You can never be too safe when you’re working in the healthcare industry. By taking a few cautionary steps, as well as implementing trustworthy software to help you with your daily needs, you’ll be well on your way to running a HIPAA-ready business.
Have any questions on how Actsoft can help you?