In an article over at Healthcare IT News, Philadelphia attorney Christopher Ezold gives some very good insight that organizations should not ignore HIPAA requirements.
Ezold hits on many good points to drive this home:
Ezold warns that while enforcement of PHI rules have been lax in the past, the Department of Health and Human Services (HHS) has recently imposed penalties of more than $1 million against companies found in violation of HIPAA.
Smaller employers have also found themselves on the receiving end of a HIPAA audit. This is a strong reminder for businesses to revisit their compliance programs, Ezold said.
“If OCR comes knocking, you may be able to avoid significant liability by showing that you have engaged in a good faith attempt to meet your obligations,” says Ezold.
His list of recommendations are spot on.
- Designate a HIPAA compliance officer.
- Create privacy and security policies that comply with HIPAA and HITECH.
- Determine which employees have access to PHI.
- Limit access to PHI both operationally and in policy to those employees who “need to know.”
- Review physical and encryption security for PHI.
- Schedule annual reviews of policies, operations and regulations.
- Create annual risk analyses and security plans.
- Have policies in place regarding breaches of PHI security.
- Schedule annual computer network security reviews.
- Safeguard all physical/documentary PHI in a locked location.
- Create policies for reviewing and shredding old documents.
- Ensure that no one keeps PHI on any mobile digital device.
The most insightful comment in the article might be:
“A small investment in time now could prevent extremely painful repercussions down the road if you are not in compliance.”
Ezold’s point is well taken. It doesn’t have to take a lot of time to address HIPAA regulations. And the investment can pay off in reduced data breaches and HIPAA violations. We know this first hand, we pride our service on “Making HIPAA Easy“.
To help you get started, download our free 5 simple and inexpensive tips to protect patient information