A recent article over at Becker’s Spine Review, discusses some of the “low hanging fruit of HIPAA compliance”. They give 8 best practices for being HIPAA compliant.
For the article they interviewed David Holtzman, JD, CIPP, vice president of compliance strategies, Cynergistek and Aaron Tantleff, partner and intellectual property lawyer with Foley & Lardner LLP.
- Encrypt health information. The Office for Civil Rights reports that nearly two-thirds of all large breaches involving ePHI are the result of laptops and other portable devices with unencrypted health information that were lost or stolen.
- Set up passwords or authentication requirements for software applications and device. Fortify your devices and solutions with strong passwords that include different elements, such as numbers or special characters.
- Do not entertain gossip in your facility. A staff member may share information about a patient with a friend believing that “it’s only one person” and “no one will find out,” says Mr. Tantleff. Make sure staff members know what is at stake if they reveal patient health information to an unauthorized person.
- Properly train your staff members on HIPAA. For example, teach staff to be suspicious of emails that ask the user to click on a link or ask for sensitive information, such as usernames and social security numbers. These types of emails can expose the practice’s information system to malware that enables cyber criminals to infiltrate the system.
- Put incident response plans into place. Train your staff members and test the plan so every person knows their roles and feels comfortable in their responsibilities, says Mr. Tantleff.
- Be vigilant about third-party business agreements. “Get a better understanding of how your contract with a vendor will protect and safeguard your practice’s health information,” says Mr. Holtzman. “As you are considering a new relationship with a vendor, ask whether they perform security risk analyses of their information systems that handle PHI or if they have designated privacy and security officials and what type of training they give their employees.”
- Avoid improper PHI disclosure. Be aware of the numerous ways in which information can get into the wrong hands. It could be as simple as mixing up a name or patient ID, and then an unauthorized individual gains access to patient health information.
- Designate a HIPAA champion. Designate and empower an individual or leader in your organization to review, evaluate and investigate your organization’s HIPAA compliance efforts.
Some simple steps can help organizations become and stay HIPAA compliant. Are you doing all 8 of these steps?