How to Become HIPAA Compliant

Every person who works in healthcare or a related field that deals with medical records must understand the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Violating the rules and protocols of this federally-regulated set of standards could result in hefty fines and even criminal proceedings.  Advances in technology further complicate this already complex set of rules, making it easier for professionals to unintentionally violate HIPAA policy.

Whether a large hospital, small clinic, or private practice, it is imperative that every member of your organization adheres to HIPAA standards.  Ongoing training and auditing are advised for any company that handles personal medical information.  It is also necessary to implement proper security and encryption for all digital files and ensure that all sensitive communications are handled correctly.

Today’s patients want convenience, and that includes fast and effective communication with their medical providers.  HIPAA compliant text messaging has become a source of confusion for providers who want to increase patient satisfaction while also safeguarding personal medical information.  Because of the complex and extensive nature of HIPAA legislation, many professionals rely on apps designed specifically for those who want to protect themselves and their patients when sending text message communications.

 

What type of information does HIPAA Cover?             

HIPAA was enacted to protect personally identifying information in medical data, known as Protected Health Information (PHI). This includes all medical records, mental health, immunization, worker’s comp, disability, and more.  PHI protection extends to written, digital, and oral disclosures.  The Privacy Rule governs the standards for PHI. Currently, there are 18 personal identifiers that must be protected, they are:

  1. Name – either full name or surname and first initial
  2. Geographical location
  3. Dates (except for the year)
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security Numbers (SSN)
  8. Medical record numbers
  9. Health insurance numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers (i.e. fingerprints, retinal ID, and voice recordings)
  17. Photographic images
  18. Any unique identifying data

 

With so many data points that require special treatment, it is easy to see how healthcare professionals could inadvertently overlook or mishandle PHI.  Every year, several entities end up on the U.S. Department of Health and Human Services (HHS) list of HIPAA offenders.  Once a company or individual makes it onto the offender list, the information is permanently there for the public to see.  With the right tools and knowledge, this unfortunate situation can be avoided.

 

What safeguards does HIPAA require?

The Security Rule governs the standards for ePHI, or electronic Personal Health Information.  This rule was put in place to ensure technical, administrative, and physical protocols when sharing or disclosing ePHI.  Technical safeguards include encryption, network security, and confidential PINS and passwords.  Administrative safeguards cover standards for training, evaluation, and management of compliance.  Physical safeguards refer to the facility that houses the medical data and all the individual equipment and workstations within that location; regulations provide for protection from intrusions by malicious persons as well as natural disasters.

 

What is the penalty for violating HIPAA?

The consequences of not following HIPAA policy can be financially devastating and leave a permanent black mark on the reputation of the non-compliant organization as well as individual persons.  Criminal charges are also possible for the most egregious offences.  Civil penalties are classified from Tier 1 to Tier 4, with a higher number carrying more severe consequences.

Tier 1 – Unaware of the violation and showing appropriate due diligence ($100 to $50,000 per violation, up to $25,000 per year)

Tier 2 – Reasonable expectation to know about the violation if acting with due diligence ($1,000 to $50,000 per violation, up to $100,000 per year)

Tier 3 – Willful violation that is corrected within 30 days of discovery ($10,000 to $50,000 per violation, up to $250,000 per year)

Tier 4 – Willful violation with no correction within 30 days of discovery ($50,000 per violation, up to $1.5 million per year)

Criminal charges are handled by The Office for Civil Rights and the Department of Justice.  Cases involving matters like fraud or identity theft can result in fines and sentences of up to 5 years in prison and may also require that restitution be paid to victims.

 

Does HIPAA address text messaging?

Yes, any disclosure of Protected Health Information, including text message communication, is subject to HIPAA enforcement.  In fact, because devices like mobile phones can be intercepted by persons other than the intended recipient, these types of communications require extra due diligence.

The only way to engage in HIPAA compliant text messaging is to implement a specially designed app for any text message records or information sharing.  No organization has the capability to adhere to the HIPAA policies for text messages on its own.  Mobile communication apps such as Halo offer user-friendly and HIPAA compliant texting capabilities.

 

Which employees are subject to HIPAA protocol?

Every employee in a healthcare related organization is obligated to understand and follow all standards set forth by HIPAA.  Doctors, nurses, technicians, administrators, receptionists… anyone who handles sensitive medical information is liable.

This obligation also extends to people who work in healthcare related industries that may receive or be privy to Protected Health Information. This includes third-party record administrators, HR professionals, pharmacies, outpatient clinics, mental health professionals, and law offices.

It is best to err on the side of caution and provide comprehensive HIPAA compliance training and tools for all employees who may come into possession of personal medical data.  Proper training procedures and appropriate tools reduce the risk of data breaches and demonstrate proactive due diligence, which may spare an organization from owing costly penalties should a breach occur.

 

Where can I find more information about HIPAA?

Everything there is to know about HIPAA and the required safeguards can be found at hhs.gov. You can learn more about Halo’s HIPAA compliant clinical communication platform at halocommunications.com/halo/hipaa-compliant-messaging/.