How to avoid being caught out by HIPAA compliance

What is HIPAA compliance?HIPAA, the Health Insurance Portability and Accountability Act, is a compliance standard for protecting sensitive patient data. All Covered Entities must ensure they secure protected health information and that physical, network and process security measures are in place and diligently followed. All covered entities must:

• Safeguard • Recognize

• Ensure

the integrity, confidentiality and availability of all PHI they create, receive, maintain or transmit.

and defend against expected threats to ensure security and integrity of the information.compliance by everyone in the workforce.

Do you have the patient's authorization?

HIPAA compliance usually does not allow covered entities to share PHI unless authorized by patients. The exception to this rule is for access to quality health care or other important public benefits. In these cases the embargo on sharing PHI will result in an unnecessary interference.

The following cases don't require the patient's authorization:

• Disclosure's required by law

• Public health reporting

• Audits and investigations

• Judicial proceedings etc.

• Administrative proceedings

• Law enforcement purposes

• Research purposes

How to release information

A Covered Entity must obtain written authorization before releasing protected health information (PHI), unless the compliance specifically permits disclosure.

An authorization must include:

• A description of the information that will be disclosed

• The authorized person

• The person who will get the information

• Description of the purpose

• The expiration date• The patient's

signature

Other information may be needed depending on the requirement

Electronic Protected Health Information (ePHI)

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is enclosed under HIPAA compliance regulations and is produced, saved, transferred or received in an electronic form.

ePHI must include the following information:• Patient name• Address• Social Security number

• Email address• Fingerprints• Photographic images etc.

All devices carrying ePHI should be HIPAA compliant, including:• Personal Computer• Tablet• Smart Phone etc.

Covered Entities must ensure that policies, procedures and training have been efficiently arranged and access (whether onsite or offsite) is provided as per the requirements of the HIPAA Privacy Rule. The following factors should be considered for users accessing PHI:

The scope, intricacy and capabilities of the entity

Hardware and software security capabilities

The costs involved Risks to PHI

User Access

Disposing of PHI

Covered Entities must apply the right managerial, technical and physical provisions to guard the confidentiality of PHI and ePHI in any form while disposing of it.

Examples of proper disposal methods are:

• For paper records; shredding, burning, pulping or pulverizing.

• For ePHI; deleting/clearing , purging or destroying the media.

Covered entities may also use other appropriate methods of disposal.

Backup plans

Covered Entities must implement protocols to safeguard and ensure continuous access to PHI, including a contingency plan for disaster cases. Most data recovery methods are based on either data backups or replications.

For ePHIData backups can be removable media such as CDs, flash drives, etc. or storage systems like dedicated backup applications.

For all other PHIData replication methods can be used for all other kinds of PHI.

Thank you

Solid and regularly adhered to business practices are required to ensure you meet HIPAA Security standards. With a better understanding of the correct ways to handle PHI and ePHI, Covered Entities can be more secure in the knowledge that they will not be caught out in compliance mandates. Check out LepideAuditor Suite - an automated solution to handling ePHI and meeting HIPAA compliance:

https://www.lepide.com/lepideauditor/