Medical providers are aware of the risks and penalties associated with HIPAA regulations. Yet, healthcare professionals sometimes become so busy with providing diagnosis and treatment, they overlook some important best practices to remain in compliance.
Creating a HIPAA checklist for staff--and themselves--helps providers and practices mitigate these risks to avoid costly penalties. Expanded requirements involving EHRs (electronic health records) have compounded the potential issues leading to non-compliance. Consider these suggestions to bring into or keep your practice in HIPAA compliance.
Suggested Best Practices Checklist
- Fulfill all patient record storage rules. Be sure you have locked areas, with visual monitoring, for patient records, whether electronic or paper files. Employ intrusion detection systems, with clear alarms, and maintain safe environmental conditions to avoid fire or other file destruction. Instruct all employees how to use, monitor and take action if storage security is breached.
- Screening, hiring, and training employees should include HIPAA risk minimization information. Using thorough background checks for staff candidates and training new staff on the specifics of HIPAA protected health information rules will lower or eliminate HIPAA patient privacy violations. Avoiding practice violations caused by honest errors by employees is vital to continued compliance and penalty elimination.
- Install sufficient staff controls on access to patient information. Develop procedures for staff access to patient records that are appropriate for each employee's responsibility level to eliminate unauthorized access to protected patient information. Regardless of practice or staff size, design written plans that you follow religiously. Larger practices demand more detailed plans, but still involve designating a specific person or department to authorize access, passwords and prompt deactivation of credentials for separated employees, regardless of authority level.
- Plan for security measures and contingencies. A written risk analysis of potential unauthorized access to protected information should alleviate many costly HIPAA violations. Also, plan and execute secure backup procedures that include written disaster recovery policies. Along with physical access limitations to paper files, create procedures for electronic access restrictions. After identifying possible risks, develop policies to immediately address breaches of security. Include all possible contingencies in your procedures to minimize unwelcome surprises for which you have no remedial policy in place.
- EHR and paper patient records need secure, written transmission or transportation policies and procedures. When digital EHR or paper files must be transmitted or transported to others, secure all information to be moved. Remember to also employ documented chain of custody procedures to ensure protection against claims of a broken chain. For physical transportation issues, address both information security and vehicle security to minimize protected information violations.
- Be sure all vendors the practice uses are HIPAA compliant. Always ask vendors for evidence that they are HIPAA compliant before doing business with them. Your responsibility and potential liability dramatically increases if you associate with vendors that cannot prove they are HIPAA compliant.
If your practice faces additional HIPAA risks, add these items to your checklist. For example, if you must physically transport health record documents often, you might want to include more detailed best practice operating procedures to ensure security and chain of custody tracking systems. The probability of violations increases with the number of transport and transmission repetitions necessary.
Preparing a best practices checklist and policies addresses at least three potential problems.
- Checklist keeps employee accidental HIPAA violations to a minimum.
- Checklist provides a "road map" of remedial actions to solve recording, privacy and security problems.
- Checklist and contingency plans display practice and provider concern for staying compliant with HIPAA rules and regulations.
Be sure to write down all plans, policies and procedures. Oral claims of having remedial and preventative procedures typically will "fall on deaf ears." Keep a secure backup of all checklists and compliance policies, in the event your original copies are accidentally destroyed.