Today, it may be more difficult than ever to remain in compliance with the Health Insurance Portability and Accountability Act (HIPAA), which was first passed in 1996. HIPAA was designed to protect healthcare coverage of workers in the event of a job change, create standards to protect vital personal info for patients, providers and employers alike, control costs of health insurance and set guidelines for group plans and life insurance. In the age of electronic information, finding ways to share crucial information between the necessary parties can be difficult and is a top cause of a HIPAA violation. In this article, proper ways to share data to avoid a HIPAA audit will be covered.
Any party covered by HIPAA can be audited. This includes doctors, dentists, medical groups, and even nursing homes, as well as many others. An audit is essentially an exam that helps to determine a party’s compliance with the law, as well as to inspect current processes and evaluate their functionality. The result of an audit can be harsh fines, even for accidental violations. For this reason, it is key to ensure that your practice is up to speed on the current rules and regulations.
In 2018, there are numerous ways to share data, both electronically and physically. From file sharing databases like Google Drive and Dropbox, to daily communication tools like Facetime and text, those in the medical field are afforded a number of options to share pertinent info. When personal information must be shared, it is important to know how to share it easily, but within the rules of HIPAA.
Sites such as Google Drive and Dropbox are incredibly convenient ways to share data, but within the scope of HIPAA, are not viable options to do so. HIPAA requires all data to be encrypted, even when uploading and downloading, and despite the fact that both sites do allow for the encryption of data, they are not to be used for sharing of personal medical data. Both Google Drive and Dropbox are classified as “business associates” rather than “conduits” which means that they are excluded from the HIPAA Conduit Exception Rule. This rule essentially outlines what qualifies as a safe way to transfer data. Companies like the US Postal Service and FedEx fall under this rule as they are both considered safe ways to transfer personal information.
However, even when using shipping services such as USPS and FedEx, it is important to do the proper research to ensure privacy. Recently, CVS, the nationwide pharmacy chain, came under fire for a major HIPAA violation. As a covered entity, CVS is required to abide by HIPAA law. CVS worked with a third party mailing company, Press America Inc, who due to a string of mis-mailings, disclosed the personal information of a significant number of individuals. CVS sued Press America for negligence and would eventually win the suit, but still faced significant fines and losses due to the incident. This example shows the importance of doing due diligence prior to making any decisions that could cause a HIPAA violation.
Though unsafe transfer of data is the primary cause of a HIPAA violation, it is not the only thing to worry about. There are a number of steps that can be taken around the workplace to minimize the chance of an audit. It is important to regularly evaluate systems to ensure compliance. This means checking that all data that is transferred is encrypted and can only be accessed by authorized personnel. Strong passwords and proper security systems are crucial to data protection.
It is also important to make safe and compliant practices the standard for all employees. Creating good habits helps to reinforce the idea of compliance better than most steps. In addition to ensuring that all office practices are secure, conducting an in-house false audit can help determine any non-compliant practices.
The consequences of a HIPAA violation can be major and it is important for all covered entities to ensure full compliance. Stay up on the laws as they are updated on a semi-regular basis and build a workplace environment that helps keep each employee on the same page. HIPAA compliance is key to the reputation and operation of covered entities of all types, so take every step possible to ensure that you are well within the law.
