HIPAA Compliance Survival Guide for Eye Care Professionals
Do you have a security risk analysis plan in place? Did you designate a compliance officer who keeps up with HIPAA changes? If you answered “no” or “I don’t know” to the previous questions, chances are your eye care practice has room to improve when it comes to HIPAA compliance.
Before you start to worry, know that you are not alone. According to the 2017 State of Privacy and Security Awareness Report, 78 percent of health care employees are not prepared for privacy and security compliance.
The Department of Health and Human Services (HHS) can fine offices who are not HIPAA compliant anywhere from $100-$50,000 per violation or per violated patient record. HIPAA is not a one-time project you can set aside, or you could set yourself up for possible breaches and security obstacles.
The following HIPAA compliance survival guide will help you navigate this process so that you can be more prepared and confident. Put on your thinking cap, because it’s time to study the complex layers of HIPAA in today’s rapidly evolving eye care industry.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) federal law has been around since 1996. HIPAA compliance focuses on three main tasks—confidentiality, integrity, and availability—when a covered entity or business associate (and its subcontractors) creates, receives, maintains, or transmits protected health information (PHI).
HIPAA protects the privacy of individual identifiable PHI, provides electronic and physical security of health and PHI, and simplifies billing and other electronic transactions.
- What is a covered entity? Includes three specific groups, such as health plans, health care clearinghouses, and health care providers (optometrist and ophthalmologist).
- What is a business associate? A person or company who performs a function or activity on behalf of or provides services to a covered entity that involves creating, receiving, maintaining, or transmitting PHI.
Privacy Rule State Laws and Regulations
In general, the HIPAA privacy rule overrides (or preempts) State laws relating to the privacy of health information that is contrary to the rule. However, there are certain exceptions if State laws that relate to the privacy of PHI are more stringent, the State law will remain in effect. HIPAA does not override State law provisions that are at least as protective as HIPAA.
Implement Business Associate Agreements
Do you have business associate agreements in place with vendors or third-party individuals or companies who may have access to your patients’ PHI?
Examples of business associates include your EHR software vendor, IT company/consultant, clearinghouses, and patient relationship management vendors. A business associate agreement will protect you (covered entity) and business associates if there is a data breach.
Designate a HIPAA Compliance Officer
A HIPAA compliance officer needs to have a strong understanding of your business processes, documentation practices, risk management practices, and incident response plans. Additionally, a HIPAA compliance officer must remain current with HIPAA privacy and security compliance requirements to protect how your practice creates, uses, and maintains PHI.
Larger eye care practices may split the responsibilities between a privacy officer and security officer. A HIPAA compliance officer should have extensive knowledge of administrative, physical and technical safeguards, as well as organizational requirements.
Develop and Enforce HIPAA Policies and Procedures
It’s critical that every eye care practice has an updated HIPAA employee handbook that documents internal policies and procedures about privacy, security and breach notification rules, and how you will safeguard your practice to protect PHI.
Employees must sign a statement that confirms they read, understand, and agree to comply with privacy, security, and confidentiality policies. Your HIPAA compliance officer should conduct annual reviews of policies and procedures, and update the handbook when necessary.
Employees include owners, managers, supervisors, officers, full and part-time employees, temporary agency employees, contractors, and interns. Employees can also be observers who may have either direct or indirect access to PHI.
Document Proof of HIPAA Training
Ongoing compliance training is the most proactive (and easiest) way to avoid a violation. You must provide every employee with HIPAA awareness training and a quiz to ensure ongoing accountability for complying with privacy and security policies and procedures concerning PHI.
Document completed quizzes with a signed certificate of completion, and keep these for a minimum of six years after the last date of employment with your practice.
Perform a Security Risk Analysis or Assessment
Performing a security risk analysis or assessment for your practice can be a challenging task. However, this is one compliance task you can’t sweep under the rug and hope that you never face a HIPAA breach. You need to perform compliance and risk assessments on a regular basis to make sure you adhere to the HIPAA’s administrative, physical and technical standards, and identify and correct any non-compliance issues.
Check out the free HealthIT.gov Security Risk Assessment (SRA) tool and videos to help guide you through the process.
What is PHI?
Protected Health Information (PHI) is any information in the patient’s medical record that identifies the patient. You must protect PHI that was created in the process of caring for the patient and is transmitted or maintained in an electronic, paper or verbal manner.
Patient health information includes: medical records, diagnoses, x-rays, photos and images, prescriptions, lab work and other test results, billing records, claims data, referral authorizations, and explanation of benefits.
HIPAA’s privacy rule has a minimum necessary requirement that prohibits snooping in PHI unless you have a valid need-to-know reason. HIPAA’s policy is “see no PHI, speak no PHI, and hear no PHI,” unless you need the PHI to perform a specific job function.
18 Identifiers that Qualify as PHI
- Postal address (street, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code)
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone number
- Fax number
- Email address
- Social Security Number (SSN) or the new Medicare Beneficiary Identifier (MBI)
- Medical record numbers
- Health plan and insurance beneficiary numbers
- Account number
- Certificate/license numbers
- Vehicle identifiers and serial numbers, or license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address
- Biometric identifiers, including finger and voice prints
- Full face photos
- Any other unique identifying numbers, codes or characteristic, which includes a medical diagnosis
Protecting the Privacy and Electronic Security of PHI
There are several steps you must take to protect the privacy and electronic security of PHI. A few of the most critical requirements are listed below.
- Keep computers password-protected.
- Change passwords often, at least quarterly. Do not reuse passwords once you change them.
- Do not share or post your password—keep them in a secure location.
- Commit your password to memory, whenever possible.
- At a minimum, when creating your password, incorporate a combination of letters, numbers, and special characters. Avoid dictionary words and personal information.
- Immediately change your password if it is accidentally exposed or compromised.
- Report all password exposures to your HIPAA compliance officer.
- Upon termination and resignation of a staff member, immediately deactivate all passwords to prevent unauthorized access.
Document and Workstation Security
- Always log off or lock access to computers when you leave, even if only for a moment.
- Keep computer systems up-to-date with current operating system security patches, firewalls, and antivirus definitions. Never disable a firewall as this prevents outsiders from accessing your practice’s private data resources.
- Ensure that computer screens and displays with access to ePHI are not visible to unauthorized individuals or passersby.
- Keep confidential or sensitive information locked away when not in use. File confidential documents in locked cabinets or drawers.
- Store files that contain PHI on a secure server, not your workstation hard drive or personal computer.
- Store printed PHI securely in locked file cabinets, desk drawers, and offices when you are not in your work area.
- Move your EHR system to the cloud. MaximEyes EHR keeps your files safe and secure at a HIPAA-compliant location.
Mobile Devices, Smartphones and App Security
- Never leave mobile computing devices (laptops, tablets, mobile phones, Bluetooth devices, memory cards, flash drives, and external hard drives) unattended or in an exposed or unsecured area.
- Use encryption when storing PHI on mobile computing devices.
- Password-protect every mobile device. For smartphones and similar mobile devices, use a PIN lock or remote wipe.
- Before you use Dropbox, make sure your plan includes HIPAA compliance and you sign a business associate agreement. Only certain versions of Dropbox are supported for HIPAA compliance.
- Do not use Evernote and Google Hangouts when receiving or transmitting ePHI as they are not HIPAA-compliant services.
- If you use G Suite Apps (formerly Google Apps) that support HIPAA compliance, sign a business associate agreement, configure access controls, and set device controls.
- Virtual assistant programs like Alexa, Siri, Amazon Echo, Google Home, and Google Assistant are not HIPAA compliant.
- Use caution when uploading or downloading files to or from mobile devices. Adhere to the “minimum necessary” standard and never transfer ePHI over a network without using encryption.
- Keep mobile devices up-to-date with current operating system security patches and anti-virus software
Disposal and Destruction
- Never leave sensitive or confidential information in a regular trash container. Securely dispose of all papers that contain PHI, such as using a cross-cut paper shredder.
- Maintain records to track the movement (transfer or relocation) of devices and media.
Voicemail, Answering Machines and Telephone Communications
- Be careful what messages you leave on answering machines and voicemails. Avoid leaving any PHI or other sensitive information.
- If you use a speakerphone, be aware of your surroundings and be sensitive to the messages you are leaving or re-playing. Close the door, lower the volume, and consider picking up the handset.
- If you find out that you left PHI on the wrong voicemail, confirm that the recipient deleted the message and did not use or disclose the information.
Social Media and Patient Testimonials Compliance
- Create a social media policy and train your staff.
- Never use social media to discuss or post a patient’s medical issues online.
- Always have your patient sign a written agreement or consent form before you share a photo, testimonial or video that includes the patient. Make sure the patient doesn’t disclose PHI in the testimonial or video.
Providing Information to an Insurance Company
According to the Notice of Privacy Practices, health care providers use and disclose medical information only to obtain payment. Best practice is to provide only the information that is needed.
For example, lab values are not required for billing purposes, and therefore you should not provide these to the insurance company. However, if the patient has submitted an authorization allowing the use and disclosure of his or her information to the insurance company, the minimum necessary standard would no longer apply.
Using Secure Communications for PHI
Engage Patients with a Patient Portal
Patient portals that include a seamless workflow and interoperability with an EHR, such as MaximEyes EHR, are an excellent way to connect with patients and deliver on-demand, secure access to PHI from recent doctor visits.
Send and receive secure messages using the MaximEyes EHR patient portal, and remain competitive and compliant with advanced patient portal tools, such as online scheduling, online bill pay, online faxing, and online patient welcome/medical history forms.
Send Secure Emails and Text Communications
Even though the U.S. Department of Health and Human Services (HHS) doesn’t “expressly prohibit” sending electronic PHI (ePHI) via emails, email systems are not secure unless you have explicit information that the system is encrypted or secure.
However, if a patient sends you a text or email about a health issue, the HIPAA security rule requires that you continue the conversation about ePHI over an open electronic network that is secure.
- Do not use Google Gmail (free account) to send ePHI, it is not a HIPAA compliant solution.
- Never email attachments containing ePHI unless you use a secure email encryption service, such as Virtru.
- Always include a “confidentiality and privacy notice” in the footer of all emails.
- Be careful what you send via regular email. Always de-identify the ePHI. This rule applies to both internal and external emails.
- If you identify ePHI that was sent in error, contact the sender immediately. Do not extend the breach of information by forwarding the identified ePHI to others. Securely dispose of or destroy the information after alerting the sender.
- If you receive notification that you sent an unsecured email containing ePHI to the wrong recipient, confirm that the recipient destroyed all copies and did not disclose the information.
- Do not send passwords in the same email as the ePHI attachment.
- Do not include the word “PHI” in the “Subject” line of the email.
- Include your contact information as part of the email.
- Do not store emails or email attachments with PHI on your hard drive—these must be stored on a secure server. Permanently delete the email and the attachments when they are no longer needed.
Send Secure Faxes
- Always use a secure eFax service or online faxing in your EHR patient portal.
- Do not include or reference PHI on the fax cover sheet.
- Never fax PHI to an unsecured fax machine.
- Always check the destination fax number before faxing. Review pre-programmed numbers on a regular basis.
- Immediately alert the sender of any faxes you receive in error, do not use or disclose the information, and either return or destroy (shred) the fax.
- If you sent a fax with PHI to the wrong person, confirm that the recipient destroyed all copies and did not disclose the information. Immediately contact your supervisor for next steps.
- Use a confidential fax cover sheet and always include a confidentiality statement in the footer.
EHR and HIPAA Best Practices for Compliance
Is your eye care EHR certified for data encryption? Does it contain functionality that adheres to HIPAA requirements for user access controls, privacy, and security? If you answered “no” or “I don’t know” to these questions, it’s time to evaluate your EHR system to safeguard your eye care practice.
As part of the ONC-ACB Health Information Technology (HIT) certification requirements, your EHR system should have built-in controls for encryption and decryption. These improved security functions for Symmetric Key Encryption should include Advanced Encryption Standard (AES), which encrypts sensitive data and PHI.
MaximEyes EHR is ONC 2015 Edition Health IT certified for quality reporting and Promoting Interoperability (PI) Programs. We’re committed to ensuring our EHR products comply with current certifications and clinical standards. MaximEyes EHR adheres to IHE standards, and we will continue to adopt standards and functionalities that make it possible for eye care providers to safely and securely exchange EHR data.
Ready to feel more confident about an EHR that keeps up with HIPAA compliance? Request a MaximEyes EHR demo today to learn how our EHR software solutions and practice management software can elevate your eye care practice.
This blog is meant as an educational resource and does NOT constitute legal HIPAA advice. Covered entities (eye care providers) are responsible for taking the necessary steps needed to protect the confidentiality, integrity, and availability of protected health information (PHI) and complying with the HIPAA security and privacy rules.