The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for the protection of sensitive patient information. Any organization or person that deals with Protected Health Information (PHI) must always follow HIPAA requirements. Any 3rd party entities such as vendors or subcontractors must also be compliant. The following safeguards should be put in place for any entities that handle or transport PHI to remain compliant with HIPAA rules and regulations.
Start HIPAA Training Immediately Upon Hire
All employees who work with access to PHI should receive HIPAA security training, as well as fraud, waste, and abuse certification. HIPAA security policies cover technical, administrative, and physical safeguards. Personnel must complete HIPAA training upon hire and should be refreshed annually throughout their time as an employee. A business should enforce HIPAA compliance and audit policies and procedures annually to ensure safe PHI handling procedures.
Technical Safeguards for HIPAA Compliance
Any technology used by a company to transmit confidential materials either physically or electronically, must be HIPAA compliant. Furthermore, any PHI which is handled or transferred between locations or systems must be protected with security measures, and access must be restricted to only authorized personnel. Upon hire, all employees must be set up with unique usernames, strong passwords, and appropriate levels of access. Employees must not share those logins, private information, or try to access information beyond their authorized access. Additional privacy, security, and compliance training will further strengthen a company’s security framework for safeguarding PHI.
Physical Safeguards for HIPAA Compliance
Whether PHI is stored in remote data centers, or on the site of the HIPAA compliant entity, appropriate physical measures need to be taken to secure the information. Examples include locking mechanisms, restricted access areas, clean desk policies, and secure document destruction.
Administrative Safeguards for HIPAA Compliance
Administrative policies regarding HIPAA compliance combine both physical and security controls into an overarching compliance and control framework. These policies are built upon risk assessments and mitigation. Securing and safeguarding PHI under HIPAA is not a one-time job and requires ongoing assessments and improvements. This security includes employee training, auditing compliance efforts, and developing additional policies and procedures to prevent security incidents. All of this strengthens data protection, mitigating any risk of being released against HIPAA guidelines.
The Risks of Non-Compliance
The data capture process manages a lot of sensitive information both physically and electronically and, therefore, must have the highest levels of protection possible. Implementing HIPAA compliant procedures across all security platforms, systems, and personnel is critical. Not following these policies and procedures could cost a company hefty fees in non-compliance penalties or, even worse, could lead to a potential security breach.
How Does Smart Data Solutions Implement HIPAA Security into Data Capture Systems?
Smart Data Solutions handles confidential PHI when performing paper to EDI data capture services for several healthcare payers nationwide. All of our systems have been implemented with HIPAA in mind. SDS aligns its security best practices with the HITRUST industry standards, which protects PHI in accordance with HIPAA standards and provides the highest level of security possible.
- The SDS security framework incorporates a number of elements including the following: Role-based access and segregation of duties
- Mandatory employee background checks
- Mandatory employee security, privacy, and compliance training
- Multifactor login authentication
- IP address restrictions
- Full disk encryption for all workstations and storage devices.
- Clean desk policies
- On site document destruction
This strict adherence to security procedures keeps data in the right hands, and the right roles, and prevents any unauthorized access to sensitive data.