Understandably, the first of the year presents its fair share of challenges for health care professionals and organizations. For many of us, especially during the first of the year, it is easier to keep tabs on our day-to-day duties, and forget about compliance.
Instead of thinking of compliance as once and done or something to address if needed; we put together a list of 5 tips you can do to help you and your organization in 2015, and beyond.
1. Policies and procedures require review. Review of policies and procedures is often forgotten. It is easy to think of policies and procedures as something that is there if needed, or something to reference as needed. Just because your policies and procedures are created, doesn't mean you are "in compliance." Your policies and procedures require periodic review at least once per year or as updates occur.
Tip: Healthcare Compliance Pros; HIPAA Privacy and HIPAA Security modules are written as policies and procedures for your organization. In addition, we have certified compliance specialists to assist your organization and address compliance concerns.
2. Change your passwords. A recent security study found that weak login credentials, including passwords, were among the top causes of data breaches last year. Approximately 76 percent of attacks on corporate networks involved weak passwords. We can't emphasize enough the importance of periodically changing your password with a password that is at least 6 characters in length (preferably 8 or more), a combination of alphabetic, mixed case, numeric and punctuation characters, and most important, a password that is difficult for hackers to guess.
Tip: If you haven't changed your passwords in a while, please do so. We highly recommend not sharing your password with anyone, and not writing passwords down and leaving them in areas that are visible and/or accessible to others.
3. Ensure proper safeguards are in place before communicating electronically. Everyone in your organization has a responsibility to ensure health information is protected. Likewise, everyone in your organization has a responsibility to ensure only minimal necessary information is shared electronically to the intended recipient. You should include a disclaimer on emails and faxes that notifies the recipient of the insecurity of email or facsimile, and provides a contact to whom the recipient can report a misdirected message.
Tip: Always use a fax cover sheet whenever you send faxes containing any sensitive or protected health information. The cover sheet should identify the information contained in the transmission as being confidential, as well as reminding the recipient that any review, dissemination, distribution, or duplication of information contained in the communication is strictly prohibited. This disclaimer language should also be included in your emails as well.
4. Properly dispose of, or store, PHI when not in use. The HIPAA Privacy Rule requires covered entities to apply appropriate administrative, technical, and physical safeguards to protect the privacy of health information of PHI, in any form. This means, you must implement and follow reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, in connection with the disposal or storage of such information.
Tip: When destroying PHI in paper records, we recommend shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. You may also maintain PHI for disposal in a secure area that has limited access and is not accessible by the general public. When ready, you may use a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. Do not throw documents containing PHI in the trash can.
5. Complete the entire breach notification process. How many of you have logged a suspected breach on a breach log? Has that suspected breach been properly researched and mitigated? Have you electronically submitted the report to the Secretary of Health and Human Services (HHS)? Simply logging the breach and notifying the affected individual doesn't mean you are in compliance. The breach must be researched, mitigated, and reported properly.
Tip: If you don't already have a formal process in place, you can log and submit suspected breaches on Healthcare Compliance Pros' website through our online Breach Log. This log contains all the essential fields necessary by HHS and provides fields for you to properly mitigate the breach. Watch for our article February 4th that will further discuss the breach notification process.
Last year, the Department of Health and Human Services'Office for Civil Rights stepped up their efforts to get providers to take compliance seriously, especially HIPAA. Because of these increased efforts and the always increasing threats to cybersecurity, it is more important than ever to address compliance on a regular basis. These 5 Tips for 2015 and beyond are by no means all inclusive; rather, they are 5 areas all of us are charged with safeguarding sensitive and can improve upon.
If you have any questions about these Tips or if you have any compliance questions, please feel free to comment below or send us an email at [email protected] or reach us by phone toll-free at 855-427-0427.