HIPAA COMPLIANCE

by Rick Nielsen and AJ Riviezzo
In working with a large number of different practices, one oddly common theme is a lack of HIPAA awareness and compliance. I routinely receive unsecured emails with the patient’s full name (sometimes with other PHI information). Occasionally the patient’s name is used as the header of the email. This necessitates me having to modify the email string before I can actually send a reply. Given the potential fines for each HIPAA breach it is important to have at least a basic HIPAA compliance program.

For our own HIPAA training, we use an outside vendor that supplies a set of manuals and videos. One of our team members attended a security/compliance office training (it was four hours). That person is now joyfully (perhaps not) training the other team members initially and then annually. They also had to work with the management team here to develop a series of critical compliance policies. These included:

Training Policy, this should include such things as an overview of what the employee will be trained in, how often you will provide refresher training, how you document training.
Workstation Use Policy, needs to address the employee responsibility for turning monitors off or minimizing windows when they are not present at their work area, when setting up workspace making sure screens are not visible from normal patient access areas (i.e. waiting rooms or hallways)
Password Policy, details how often passwords must be changed, and that employees will not share passwords. How passwords should be formatted (i.e. how many characters, numeric and alpha characters, etc.) as well.
Destruction Policy, should include such things as paper records (non-chart) must be shredded and computer hard drives must be removed and shredded at the end of the life cycle for computers.
Email Policy, notes the practice reserves the right to monitor, audit, delete, and read any email messages. Protected Health Information (PHI) must be protected in an email (i.e. not putting full names in subject lines, all PHI be either encrypted or in a password protected attachment. That all emails should include a confidentiality statement.
Transportation Policy, should address how and when documents containing HIPAA materials may be transported and that the employee is responsible for ensuring their security.
Termination Policy, to ensure access to email, various passwords and any other PHI access has been deleted after an employee has left your employment.

While this seems like a lot of work, and it is to a certain extent, it can be mitigated by using a vendor that supplies example policies along with the aforementioned training documents and videos. The cost is typically not very high and it does give you assurance that one sometimes very visual topic is being addressed in an appropriate fashion.