The government regulation that gives many health care organizations heartburn is HIPAA. Short for the Health Insurance Portability and Accountability Act, HIPAA was enacted by Congress in 1996 to provide policies that protect confidential patient data. As time and technology have changed, so too have the requirements and policies of HIPAA.
To ensure healthcare organizations are adhering to the policies in place, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) conducts periodic audits. The next round of audits is set to begin at any time. In order to protect your practice from a violation, it is vital to understand where many other organizations fail.
In a recent study by NueMD, only 38% of respondents said they felt confident that someone within their organization was ensuring HIPAA compliance. The study also found that small practices were more likely to have issues with HIPAA compliance when compared to larger organizations.
When it comes to medical marketing and patient communication, the use of email, texting and/or social media are common tools of the trade, but they come with their share of risks. For example, when using social media you should never use a patient’s name or give out any information that could identify them.
Another HIPAA violation culprit is email communication. In the study cited above, only 36% felt very confident that their email communications were HIPAA compliant. The HIPAA security rule requires email transmission of PHI (protected health information) be encrypted. The HIPAA Omnibus Rule expands this to include email providers. Unbeknownst to many, most free email providers (such as Google, Yahoo, AOL) are unwilling to sign a BAA (Business Associate Agreement), which means that any PHI stored in the email is a HIPAA violation.
The safest way to transmit PHI is through either an encrypted provider or patient portal. Even if a patient sends the provider an email first, it is the provider’s responsibility to store the information securely.
If the best defense is a good offense, providers must take efforts to ensure that their patients’ health information is secure. Consider signing up for a secure, HIPAA compliant email service. In addition, ensure that all website forms link to a secure email address to protect the information submitted. Lastly, conduct annual HIPAA compliance training for your staff to ensure everyone is clear on the policies they must adhere to. By taking measures today, you can protect yourself from violations when the next round of HIPAA audits begin.