This has become increasingly difficult to do considering that patients are demanding more communication with their healthcare provider in the forms of email, text messaging, social media – even video. How are doctors supposed to balance providing quality patient care, protecting patient health records and offering more ways to strengthen their doctor-patient relationships while remaining HIPAA (Health Insurance Portability and Accountability Act) compliant?
In this post, we review some ways in which physicians can better adhere to HIPAA compliance, while providing effective patient communication and treatment in the digital age.
Increasing awareness of HIPAA rules
Most healthcare providers are aware that failure to comply with HIPAA regulations can result in fines, criminal charges and civil action lawsuits. The good news is that more healthcare professionals are demonstrating a better understanding of HIPAA compliance measures and are taking the necessary steps to avoid steep fines and protect the privacy of their patients.
In a 2016 survey by NueMD, they found that healthcare organizations are doing more to remain HIPAA compliant than two years ago. For example, just over 70% of respondents stated that their organization has a HIPAA compliance plan. Only 58% of respondents said the same in 2014.
What’s more, is that when HIPAA added its Omnibus Rule in 2013, only 64% knew of these stricter security guidelines and harsher penalties; now 69% said they were familiar with the new updates. And 40% are now aware that the Office for Civil Rights of HHS conducts audits to encourage enforcement of privacy guidelines, an increase of eight percent compared to two years ago.
In addition, when asked how confident they are that there is at least one employee who is familiar with HIPAA and is taking active steps to ensure compliance, 83% were either “very” or “somewhat” confident.
Drawing the line with patient communication
There’s no hiding the fact that mobile devices are now part of the healthcare industry’s toolbox and patients are willing and eager to take advantage of increased communication with their doctor.
But whether with patients or just between staff members, the increased use of mobile apps, email, texting, and social media brings into question HIPAA compliance in regards to these forms of communication and the types of devices used.
In the same NueMD survey, confidence has remained stagnant over the past two years on whether these devices and forms of patient communication are HIPAA compliant.
When communicating with or about patients, here are some tips to keep in mind so that you don’t jeopardize patient privacy or your practice’s reputation:
- Avoid sharing patient information to unauthorized individuals, even if you don’t mention the patient by name.
- Don’t share photos, videos or anything related to patient health information without the patient’s expressed consent.
- Don’t disclose protected health information on social media networks or review sites, even if a patient posts a false or inaccurate review.
- Do make a point to thoroughly train your employees on your practice’s HIPAA Privacy and Security policies.
- Do familiarize yourself with the fines related to HIPAA violations (fines can range from $100 – $1,500,000, including jail time).
This is just a small sampling of common sense tips physicians and healthcare organizations should keep in mind as they work toward complete HIPAA compliance.
Handling breaches and security risks
In addition to developing internal measures for patient data safety, external threats such as security breaches and hacks need to be accounted for. According to the Office of Civil Rights under HHS, there were 253 healthcare breaches that affected 500 or more individuals with a combined loss of over 112 million records.
To help lessen the threat of a security breach, it is required that you appoint a Security Officer and a Privacy Officer to create a single point of contact for handling such conflicts. Other measures to consider include:
- Encrypting data and hardware
- Creating digital communication guidelines
- Protecting paper files
- Encouraging staff to report errors or security concerns
- Conducting internal audits to assess compliance
- Providing ongoing HIPAA training
In addition, you will need to perform a risk analysis which is defined as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” That may seem like a huge undertaking – and it is – but simply put, you need to assess any and all potential risks such as natural, environmental and human caused threats.
You will also need to have a written plan for implementing safeguards to combat these threats. If a breach does occur, you will need to notify the affected individuals, HHS and the media in accordance to the HIPAA Breach Notification Rule.
HIPAA compliance checklist
To put you and your practice or organization on the fast track to HIPAA compliance, take a look at this comprehensive checklist to see what’s missing, what needs improving, and how to avoid hefty fines.
In short, HIPAA is asking you to:
- Put safeguards in place to protect patient health information.
- Have agreements in place with any service providers that perform covered functions or activities for you.
- Have procedures in place to limit who can access patient health information.
- Implement a training program for you and your employees about how to protect your patients’ health information.
Tell us: Is your practice or organization HIPAA compliant? What measures have you taken to ensure complete compliance?
