- What is HIPAA Compliance?
- What Businesses Are Required To Meet HIPAA Compliance?
- HIPAA Compliance Best Practices
- Information Security Risks for Small Health Care Providers
- HIPAA Compliance Process Model
- HIPAA Compliance Action Plan
- Where To Get HIPPA Information And Help
- HIPAA Compliance and Business Management Software
- HIPAA Compliance Conclusion
HIPAA compliance refers to the Health Insurance Portability and Accountability Act (HIPAA). It was signed into legislation in the United States by President Clinton in 1996.
Compliance attempts to achieve two objectives: firstly, to ensure workers keep their insurance between jobs, and lastly, to ensure the confidentiality and security of an individual's information.
HIPAA compliance is a big challenge for small business health care practices. In 2008, research showed approximately 60% of physicians in the U.S. practice within an environment that can be described as a small business (fewer than 7 physicians). The chief compliance issue for these small business is Regulatory compliance in patient information security (InfoSec). Failure in HIPAA compliance overwhelmingly originates from breaches in InfoSec.
Small health care businesses; such as, chiropractors, dentists, family physicians, orthodontists, naturopathic doctors, are particularly vulnerable to HIPAA compliance. They are vulnerable to compliance issues because they usually operate with limited funds allocated for patient security, have a lack of technical expertise, and may be ignorant regarding HIPAA compliance legislation.
The very nature of small business means funds are limited. Typically, money is spent on the physical location of the practice and the utilities that are needed to maintain the location. Next, personnel are hired to help run the location. Personnel may include; a front desk person, other heath care practitioners, cleaning staff, or IT staff or contractors. Next the owner of the small health care business is responsible for marketing strategies and their associated costs. These expenses are a very large component of the overall budget and place severe limitations on the profitability of a business.
HIPAA compliance requires these small businesses to potentially hire Information Technology (IT) HIPAA specialists, revamp their business processes related to information storage and exchange; purchase physical equipment or software that provides an additional layer of security, and spend considerable time and money training staff to use new technologies while educating them on HIPAA compliance best practices. Given the constraints of operating a successful and profitable small business, it is not hard to see why additional expenditures due to HIPAA compliance are burdensome and overlooked.
The grace period for businesses to adopt HIPAA compliance has passed. With the need for internet security becoming increasingly apparent due to high profile breaches, U.S. District Attorney's are fining businesses that do not meet compliance regulations. For example, Blue Cross Blue Shield of Tennessee in 2009 had a data breach that cost them an estimated $18.5 million dollars in fines. In 2015, Anthem Inc. had a data breach where over 80 million records were stolen and the cost to the company is expected to be in excess of $1 billion dollars!
The U.S. Department of HHS has detailed information to determine who is considered a covered entity CE) or a business associate that must abide by HIPAA rules. In general, individuals, organizations, and agencies of the following types are CEs: a healthcare provider, such as a doctor, dentist, optometrist, podiatrist, dermatologist, chiropractor, clinic, pharmacy, and any business entity that generates or uses PHI; a health plan, such as a health insurance company, a company health plan, or government programs such as Medicare, Medicaid, and military and veterans’ healthcare programs; a healthcare clearinghouse where health information is being converted from one format to another. Business associates, such as contractors or consultants, to the above entities are also affected by HIPAA rules.
Furthermore, HIPAA may extend to health care practitioners residing in other countries. If you provide medical care, and subsequently collect medical data on U.S. citizens, you are also beholden to HIPAA compliance laws in addition to privacy laws of your own country.
According to USDHHS best practices include:
- ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) they create, receive, maintain, or transmit
- identify and protect against reasonably anticipated threats to the security or integrity of the information
- protect against reasonably anticipated, impermissible uses or disclosureswhen choosing a chiropractor, their friends opinions are extremely important
- ensure compliance by their workforce.
The following activities are required by CE's and must be frequently renewed:
Risk Analysis and Management
- evaluate the likelihood and impact of potential risks to e-PHI
- implement security measures to address the risks identified in the risk analysis
- document and provide rationale for chosen security measures
- maintain continuous, reasonable, and appropriate security protections
Implement Administrative Safeguards
- designate a security official who is responsible for developing and implementing its security policies and procedures
- implement policies and procedures for authorized access to e-PHI using role-based access
- train all workforce members regarding its security policies and procedures
- establish appropriate sanctions against workforce members for those who violate policies and procedures
- conduct periodic evaluation
Implement Physical Safeguards
- limit physical access to its facilities, yet ensure authorized access is available
- establish policies and procedures regarding proper use of computer workstations and electronic media
- establish policies and procedures regarding the transfer, removal, disposal, and reuse of electronics media
Implement Technical Safeguards
- access control: a CE must implement technical policies and procedures that allow only authorized persons to access e-PHI
- audit controls: a CE must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity that contains or uses e-PHI
- integrity controls: a CE must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed
- transmission security: a CE must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted across electronic networks
As discussed earlier, small businesses have a plethora of demands upon them that monopolize their scarce resources. As such, small businesses tend to have inadequate understanding of HIPAA compliance or InfoSec and therefore fail to perform risk assessment or enact security policies.
Some research shows that approximately 33% of small businesses that are responsible for compliance have never conducted a security risk assessment on their policies and procedures. A lack of assessment means HIPAA compliance is not being adhered to because the mere lack of a risk assessment strategy warrants non-compliance.
Common information security risks for small health care providers includes:
- unauthorized access
- physical loss of equipment
- viruses, spyware and malware
- no audit trail of who accessed information and when to ensure confidentiality and integrity
- loss of data
The following process model is intended to help implement strategies for HIPAA compliance.
You can find HIPAA requirements above or refer to the resources in the following sections to get a better understanding of the requirements. However, it is advisable to seek professional legal advice if you are at all unsure of the HIPAA requirements.
This process determines how far you have deviated from HIPAA compliance. In the event you are not completely compliant, you need to know where you are not compliant in order to fix the problem.
Conducting a risk analysis will highlight those areas where the business is vulnerable and rank the value of assets.
Once the risk analysis is conducted and assets are ranked according to their importance, policy formulation acts to develop policies and procedures to mitigate exposure to risks. The higher the asset value the greater the policies and procedures.
Now that there are policies and procedures, the business must implement those policies and procedures. This isn't the end of the process model. There is a feedback loop between implementation and self-assessment. Since threats to patient records and information are ongoing, self-assessment must be routinely conducted to re-evaluate risk, create new policies and procedures, and implement those changes.
In this way, HIPAA compliance is a never ending endeavor.
Now that you have a better understanding of the requirements, it's important to see how they can be integrated into your business. The HIPAA compliance action compass depicted below will give you ideas how to practically integrate compliance into your business.
HealthIT.gov has a lot of very helpful information regarding HIPAA compliance. They created the comprehensive online guide that we are making available below. If you still have questions we have not answered, HealthIT.gov is a great resource to use. Additionally, please leave a comment below and let us know what we don't have. We would like to know how we can provide additional information to our readers.
If you would like to read the online guide click on the guide image that follows.
Since we provide business management software, we thought it would be a good idea to talk about it and how it relates to HIPAA compliance.
Regardless of the business management software you choose to use for your practice, whether it is our business software or a competitors, you need to keep a few things in mind with respect to HIPAA. Here are some of the pro's and con's of business management software:
Pro's for Business Management Software
- There is built-in access control since all users of the software require login credentials. If a user is not authorized to access the information you can withhold access from them. This is generally universal throughout the business software industry. However, some platforms may not allow users or staff to access the software at all. Bizstim business management software allows administration to determine who has access (patients, practitioners, staff, and administrators).
- Audit controls are usually available. You can assign appointments to practitioners who are responsible for opening, saving and closing sessions with patients. The ability to leave private and public notes provides enough flexibility to manage audits. The implementation of permissions can further restrict who can access information and therefore acts as an audit indicator.
- Integrity controls can be realised by backing up information using export data functions, and backup information by the software provider. Integrity controls are a little more problematic. Since the software provider routinely backs up the data from the database, it is important they have security to protect that data. With respect to Bizstim's data management practices, our data is stored in a non-web accessible location that is protected by firewalls and modern encryption methods.
- Transmission security is controlled by Secure Socket Layer (SSL) technology that encrypts information to and from your client's browser and our servers. This makes it very difficult for the information to be access by anyone who does not have access to our software.
Con's for Business Management Software
Business management software is one tool in many that allow businesses to streamline their processes and save money. This streamlining property is one of the original concepts behind HIPAA compliance. Unfortunately, theory and ideology oftentimes find themselves at odds with reality.
Data breaches do happen. Very well known companies have fallen victim to breaches in their security. No matter how secure a platform claims to be there is always a chance of a breach. Since you do not own the software and hardware for your cloud-based business management software, you do not have direct control over the implementation and monitoring of security.
Thus, you place a certain level of trust on the service provider to keep your data safe and secure. This is obviously one of the biggest con's associated with contracting out your business management software needs.
Bizstim software meets the fundamental requirements for HIPAA compliance. Using our software doesn't exclude you from maintaining your own compliance. You still need to develop policies, evaluate risk, train staff and self-assess. The way in which you use and interact with cloud-based business management software will determine if you are compliant.
For more information about Bizstim business management software, you can check out our business management features page and to learn more about our service offering from a health care perspective check out our appointment and financial software for health clinics.
Ironically, the most recent additions to the requirements for HIPAA were intended to streamline data collection, storage and security. The streamlining process was touted as a way to cut costs and save money. However, small health care practices are more heavily burdened than larger health care practices.
The cost of implementing HIPAA compliance requirements are relatively more expensive for small businesses since they do not have the same level of revenue as larger practices and their infrastructure tends to be far less centralised.
A business with a centralised infrastructure provides a connected network that shares information and is accessible using terminals, whereas a decentralised infrastructure may rely upon staff to use their own computers / devices and pass data along using removable devices such as USB drives. Therefore, small businesses have a lot further to go in order to be compliant.
Nonetheless, both small and large health care practices are required to be HIPAA compliant. The potential cost of non-compliance will force health care practitioners to pay close attention to their policies and procedures.
If you have any question redarding HIPAA compliance feel free to leave a comment. We'll do whatever we can to answer your questions.