Our 2021 HIPAA Compliance Checklist
Why your medical practice needs an IT company that understands HIPAA compliance
If your organization handles patient’s health care information, you likely need to be HIPAA compliant.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 which aims to keep patient’s health data safe and protected. It ensures that healthcare providers and business associates of covered entities implement protections to keep sensitive personal and health information private.
HIPAA also benefits healthcare organizations by streamlining administrative processes and helping with the transition from paper records to electronic copies.
Reviewing a HIPAA compliance checklist regularly to ensure that your medical practice is following all the necessary measures is critical to keeping your organization in good standing.
Continue reading to learn more about what it means to be HIPAA compliant and how an IT company can help.
What is HIPAA compliance?
HIPAA compliance involves following the requirements of the Health Insurance Portability and Accountability Act.
All business associates and covered entities that have access to protected health information (PHI) must ensure that administrative, physical, and technical safeguards are in place, as outlined in HIPAA. Without HIPAA, health care organizations would not be required to have any safeguards in place, and there would be no repercussions for failing to protect sensitive patient information.
Some of the common terms regarding HIPAA include:
- Protected health information (PHI) is healthcare data. This is what HIPAA aims to protect and keep private.
- Covered entities are people working in the healthcare field that have access to PHI such as doctors, nurses, and health insurance companies.
- Business associates work with or provide a service to covered entities and are also responsible for maintaining HIPAA compliance. Examples of business associates are lawyers, accountants, and IT personnel who have access to PHI.
What is the HIPAA Privacy Rule?
The first item on our HIPAA compliance checklist is the HIPAA Privacy rule.
The HIPAA Privacy rule outlines how PHI can be used, accessed, and disclosed by healthcare personnel, lawyers, and anyone else within the healthcare system.
The Privacy rule ensures that the appropriate protection measures are in place to ensure the privacy of all PHI. It also gives patients the right to their own PHI, including obtaining a copy and requesting corrections.
This rule also requires covered entities to respond to a patient’s request to obtain their PHI within 30 days.
IT for medical offices: what’s the best way to protect your patient data?
What is the HIPAA Security Rule?
The HIPAA security rule contains the safeguards that must be applied in order to protect PHI that is created, stored, or accessed electronically. This type of PHI is known as electronic protected health information or ePHI. Access to ePHI refers to anyone who has the ability to edit, read, write, and communicate this information.
There are three safeguards that are outlined in the security rule: physical safeguards, technical safeguards, and administrative safeguards.
- Physical safeguards protect the physical access to where ePHI is stored or accessed. Physical safeguards include security and alarm systems.
These safeguards also require covered entities and business associates to limit physical access to facilities.
This also includes policies that are put into place to specify proper use and access to workstations, as well as the transfer and removal of electronic media.
- Technical safeguards refer to the technology in place to protect ePHI, such as firewalls, encryption, and data backup. These measures are critical to implement in case of a data breach or hacking attempt. These safeguards include access, audit, and integrity controls, as well as transmission security.
Access controls put procedures in place to ensure only authorized personnel access ePHI. Audit controls use mechanisms to record and examine access in information systems that have or use ePHI. Integrity controls implement measures to ensure that ePHI has not and will not be improperly edited.
Transmission security refers to the implementation of security measures that protect access to ePHI that is transmitted through an electronic network.
- Administrative safeguards require that a security officer and privacy officer put the appropriate measures in place to protect ePHI.
This safeguard also requires that covered entities and business associates perform a risk analysis to determine what security measures are best suited for your organization.
A risk analysis includes evaluating the likelihood of potential risks to ePHI, implementing security measures, documenting the security measures in place, and maintaining these measures.
What businesses should know about penetration testing
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires that covered entities notify patients when their PHI has been stolen, compromised, or even exposed to a risk.
If over 500 patients were affected, covered entities must notify the Department of Health and issue a notice to the media within 60 days of the breach. If the breach affected less than 500 patients, the Department of Health must be notified annually.
Breach notifications must include a list of the PHI that was involved, an explanation of how the breach occurred, who saw the exposed data, proof of whether the PHI was viewed or not, and mitigation steps that have been taken so far.
How can an IT partner help with HIPAA compliance?
At Internetwork IT, we take care of the extensive HIPAA requirements for you, so that your healthcare practice can achieve adequate HIPAA compliance. Our medical IT services package includes HIPAA compliant services and everything you’ll need to protect your patients and team.
“I have known and used InterNetwork IT for over 3 years. Adam and his team are very professional and go the extra mile to help. Their services are reliable and reasonably priced. I would not hesitate to recommend.”
— Leroy Harrison, Practice Manager, A Plus Pediatrics and South Lake Pediatrics
Ready to get started?
Contact us today to learn more!