26 Sep HIPAA Compliance Guide for Eye Care Professionals
Do you have a security risk analysis plan? Did you designate a compliance officer who keeps up with HIPAA changes? If you answered “no” or “I don’t know” to the previous questions, your eye care practice has room to improve regarding HIPAA compliance.
The Department of Health and Human Services (HHS) can fine offices that are not HIPAA compliant anywhere from $100-$50,000 per violation or per violated patient record. HIPAA is not a one-time project you can set aside, or you could set yourself up for possible breaches and security obstacles.
The following HIPAA compliance guide will help you navigate this process to be more prepared and confident. Put on your thinking cap because it’s time to study the complex layers of HIPAA in today’s rapidly evolving eye care industry.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) federal law has been around since 1996. HIPAA compliance focuses on three main tasks—confidentiality, integrity, and availability—when a covered entity or business associate (and its subcontractors) creates, receives, maintains, or transmits protected health information (PHI).
HIPAA protects the privacy of individual identifiable PHI, provides electronic and physical security of health and PHI, and simplifies billing and other electronic transactions.
- What is a covered entity? Includes three specific groups: health plans, health care clearinghouses, and health care providers (optometrist and ophthalmologist).
- What is a business associate? A person or company that performs a function or activity on behalf of or provides services to a covered entity that involves creating, receiving, maintaining, or transmitting PHI.
Follow Privacy Rule State Laws and Regulations
In general, the HIPAA privacy rule overrides (or preempts) State laws relating to the privacy of health information that is contrary to the rule. However, there are certain exceptions if State laws that relate to the privacy of PHI are more stringent, the State law will remain in effect. HIPAA does not override State law provisions that are at least as protective as HIPAA.
Implement Business Associate Agreements
Do you have business associate agreements with vendors, third-party individuals, or companies who may access your patient’s PHI?
Examples of business associates include your EHR software vendor, IT company/consultant, clearinghouses, and patient relationship management vendors. A business associate agreement will protect you (covered entity) and business associates if there is a data breach.
Designate a HIPAA Compliance Officer
A HIPAA compliance officer must understand your business processes, documentation, risk management practices, and incident response plans. Additionally, a HIPAA compliance officer must remain current with HIPAA privacy and security compliance requirements to protect how your practice creates, uses, and maintains PHI.
Larger eye care practices may split the responsibilities between a privacy officer and a security officer. A HIPAA compliance officer should have extensive knowledge of administrative, physical and technical safeguards and organizational requirements.
Develop and Enforce HIPAA Policies and Procedures
It’s critical that every eye care practice has an updated HIPAA employee handbook that documents internal policies and procedures about privacy, security and breach notification rules, and how you will safeguard your practice to protect PHI.
Employees must sign a statement that confirms they read, understand, and agree to comply with privacy, security, and confidentiality policies. Your HIPAA compliance officer should review policies and procedures annually and update the handbook when necessary.
Employees include owners, managers, supervisors, officers, full and part-time employees, temporary agency employees, contractors, and interns. Employees can also be observers who may have either direct or indirect access to PHI.
Document Proof of HIPAA Training
Ongoing compliance training is the most proactive (and easiest) way to avoid a violation. You must provide every employee with HIPAA awareness training and a quiz to ensure ongoing accountability for complying with privacy and security policies and procedures concerning PHI.
Document completed quizzes with a signed certificate of completion, and keep these for a minimum of six years after your practice’s last date of employment.
Perform a Security Risk Analysis or Assessment
Performing a security risk analysis or assessment for your practice can be challenging. However, this is one compliance task you can’t sweep under the rug and hope you never face a HIPAA breach. You must perform compliance and risk assessments regularly to ensure you adhere to HIPAA’s administrative, physical and technical standards, and identify and correct any non-compliance issues.
Check out the free HealthIT.gov Security Risk Assessment (SRA) tool and videos to help guide you through the process.
Our HIPAA Risk Assessment Checklist for Eye Care Professionals reviews several steps you must take to protect your practice’s privacy and electronic security and Protected Health Information (PHI).
What is PHI?
Protected Health Information (PHI) is any information in the patient’s medical record that identifies the patient. You must protect PHI that was created in the process of caring for the patient and is transmitted or maintained in an electronic, paper, or verbal manner.
Patient health information includes: medical records, diagnoses, x-rays, photos and images, prescriptions, lab work and other test results, billing records, claims data, referral authorizations, and explanation of benefits.
HIPAA’s privacy rule has a minimum necessary requirement that prohibits snooping in PHI unless you have a valid need-to-know reason. HIPAA’s policy is “see no PHI, speak no PHI, and hear no PHI,” unless you need the PHI to perform a specific job function.
18 Identifiers that Qualify as PHI
- Patient’s name
- Postal address (street, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code)
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security Number (SSN) or the new Medicare Beneficiary Identifier (MBI)
- Medical record numbers
- Health plan and insurance beneficiary numbers
- Account number
- Certificate/license numbers
- Vehicle identifiers and serial numbers, or license plate numbers
- Device identifiers and serial numbers
- Digital identifiers, such as Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address
- Biometric identifiers, including finger and voiceprints
- Full-face photos images
- Any other unique identifying numbers, codes, or characteristics, which include a medical diagnosis
Protecting the Privacy and Electronic Security of PHI
You must take several steps to protect the privacy and electronic security of PHI. A few of the most critical requirements are listed below.
- Keep computers password-protected.
- Change passwords often, at least quarterly. Do not reuse passwords once you change them.
- Do not share or post your password—keep them in a secure location.
- Commit your password to memory, whenever possible.
- At a minimum, incorporate a combination of letters, numbers, and special characters when creating your password. Avoid dictionary words and personal information.
- Immediately change your password if it is accidentally exposed or compromised.
- Report all password exposures to your HIPAA compliance officer.
- Upon termination and resignation of a staff member, immediately deactivate all passwords to prevent unauthorized access.
Document and Workstation Security
- Always log off or lock computer access when you leave, even if only for a moment.
- Keep computer systems up-to-date with current operating system security patches, firewalls, and antivirus definitions.
- Ensure that computer screens and displays with access to ePHI are not visible to unauthorized individuals or passersby.
- Keep confidential or sensitive information locked away when not in use. File confidential documents in locked cabinets or drawers.
- Store files that contain PHI on a secure server, not your workstation hard drive or personal computer.
- Store printed PHI securely in locked file cabinets, desk drawers, and offices when you are not in your work area.
- Move your EHR system to a secure cloud environment. MaximEyes.com keeps your files safe and secure at a HIPAA-compliant location. For instance, two-factor authentication or multi-factor authentication (MFA) adds a second layer of security to verify your identity when accessing MaximEyes.com.
Mobile Devices, Smartphones, and App Security
- Never leave mobile computing devices (laptops, tablets, mobile phones, Bluetooth devices, memory cards, flash drives, and external hard drives) unattended or in an unsecured area.
- Use encryption when storing PHI on mobile computing devices.
- Password-protect every mobile device. Use a PIN lock or remote wipe for smartphones and similar mobile devices.
- Before you use Dropbox, ensure your plan includes HIPAA compliance and sign a business associate agreement. Only certain versions of Dropbox are supported for HIPAA compliance.
- Do not use Evernote and Google Hangouts™ when receiving or transmitting ePHI as they are not HIPAA-compliant services.
- If you use Google Workspace Apps that support HIPAA compliance, you must sign a Business Associate Agreement with Google, configure access controls, and set device controls.
- Virtual assistant programs like Alexa, Siri, Amazon Echo, Google Home, and Google Assistant are not HIPAA compliant.
- Use caution when uploading or downloading files to or from mobile devices. Adhere to the “minimum necessary” standard and never transfer ePHI over a network without using encryption.
- Keep mobile devices up-to-date with current operating system security patches and anti-virus software
Disposal and Destruction
- Never leave sensitive or confidential information in a regular trash container. Securely dispose of all papers that contain PHI, such as using a cross-cut paper shredder.
- Maintain records to track device and media movement (transfer or relocation).
Voicemail, Answering Machines, and Telephone Communications
- Be careful what messages you leave on answering machines and voicemails. Avoid leaving any PHI or other sensitive information.
- If you use a speakerphone, be aware of your surroundings, and be sensitive to the messages you are leaving or re-playing. Close the door, lower the volume, and consider picking up the handset.
- Confirm that the recipient deleted the message and did not use or disclose the information if you find out that you left PHI on the wrong voicemail.
Social Media and Patient Testimonials Compliance
- Create a social media policy and train your staff.
- Never use social media to discuss or post a patient’s medical issues online.
- Always have your patient sign a written agreement or consent form (HIPAA Marketing Authorization Form) before you share a photo, testimonial or video that includes the patient. Make sure the patient doesn’t disclose PHI in the testimonial or video.
Providing Information to an Insurance Company
According to the HHS “Notice of Privacy Practices,” health care providers should only use and disclose medical information to obtain payment. The best practice is to provide only the information that is needed.
For example, lab values are not required for billing purposes. Therefore you should not provide these to the insurance company. However, if the patient has submitted an authorization allowing the use and disclosure of his or her information to the insurance company, the minimum necessary standard would no longer apply.
Using Secure Communications for PHI
Engage Patients with a Patient Portal
Patient portals that include a seamless workflow and interoperability with an EHR, such as MaximEyes EHR, are an excellent way to connect with patients and deliver on-demand, secure access to PHI from recent doctor visits.
Send and receive secure messages using the MaximEyes EHR patient portal, and remain competitive and compliant with advanced patient portal tools, such as online scheduling, online bill pay, online faxing, and online patient welcome/medical history forms.
Send Secure Emails and Text Communications
Even though the U.S. Department of Health and Human Services (HHS) doesn’t “expressly prohibit” sending electronic PHI (ePHI) via emails, email systems are not secure unless you have explicit information that the system is encrypted or secure.
However, if a patient sends you a text or email about a health issue, the HIPAA security rule requires that you continue the conversation about ePHI over an open electronic network that is secure.
- Do not use Google Gmail (free account) to send ePHI, it is not a HIPAA-compliant solution.
- Never email attachments containing ePHI unless you use a secure email encryption service, such as Virtru.
- Always include a “confidentiality and privacy notice” in the footer of all emails.
- Be careful what you send via regular email. Always de-identify the ePHI. This rule applies to both internal and external emails.
- If you identify ePHI that was sent in error, contact the sender immediately. Do not extend the information breach by forwarding the identified ePHI to others. Securely dispose of or destroy the information after alerting the sender.
- If you receive notification that you sent an unsecured email containing ePHI to the wrong recipient, confirm that the recipient destroyed all copies and did not disclose the information.
- Do not send passwords in the same email as the ePHI attachment.
- Do not include the word “PHI” in the “Subject” line of the email.
- Include your contact information as part of the email.
- Do not store emails or email attachments with PHI on your hard drive—these must be stored on a secure server. Permanently delete the email and the attachments when they are no longer needed.
Send Secure Faxes
- Always use a secure eFax service or online faxing in your EHR patient portal.
- Do not include or reference PHI on the fax cover sheet.
- Never fax PHI to an unsecured fax machine.
- Always check the destination fax number before faxing. Review pre-programmed numbers regularly.
- Immediately alert the sender of any faxes you receive in error, do not use or disclose the information, and either return or destroy (shred) the fax.
- Confirm that the recipient destroyed all copies and did not disclose the information if you sent a fax with PHI to the wrong person. Immediately contact your supervisor for the next steps.
- Use a confidential fax cover sheet and always include a confidentiality statement in the footer.
EHR and HIPAA Best Practices for Compliance
Is your eye care EHR certified for data encryption? Does it contain functionality that adheres to HIPAA requirements for user access controls, privacy, and security? If you answered “no” or “I don’t know” to these questions, it’s time to evaluate your EHR system to safeguard your eye care practice.
As part of the ONC-ACB Health Information Technology (HIT) certification requirements, your EHR system should have built-in controls for encryption and decryption. These improved security functions for Symmetric Key Encryption should include Advanced Encryption Standard (AES), which encrypts sensitive data and PHI.
MaximEyes EHR is ONC 2015 Edition Health IT certified for quality reporting and Promoting Interoperability (PI) Programs. We’re committed to ensuring our EHR products comply with current certifications and clinical standards. MaximEyes EHR adheres to IHE standards, and we continue to adopt standards and functionalities that make it possible for eye care providers to safely and securely exchange EHR data.
Ready to feel more confident about an EHR that keeps up with HIPAA compliance? Request a MaximEyes EHR demo today to learn how our EHR software solutions and practice management software can elevate your eye care practice.
This blog is an educational resource and does NOT constitute legal HIPAA advice. Covered entities (eye care providers) are responsible for taking the necessary steps to protect the confidentiality, integrity, and availability of protected health information (PHI) and comply with the HIPAA security and privacy rules.