Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

What medical office managers need to know about HIPAA

By Jordan MacAvoy bio

The Health Information Portability and Protection Act (HIPAA) was enacted in 1996. The regulation stipulates standards that healthcare organizations and vendors must adhere to when it comes to patients’ protected health information (PHI). HIPAA-beholden organizations must secure their PHI for them to gain compliance status.

Healthcare organizations and their vendors must appoint a HIPAA manager to oversee the implementation of the compliance program. If your organization has any HIPAA obligations and you get selected for this role, you should be aware of those regulations and what they mean to your business. Here’s what you should know as an office manager.

Who are the covered entities?

“Covered entities” refer to health insurers, healthcare providers, and any other professional individuals/organizations that handle patients’ medical information in the course of their work. The HIPAA rule doesn’t apply to family caregivers and private citizens. Those in the latter category should take steps to ensure that the patients agree to have their information shared.

The HIPAA rule is intended to ensure patients’ privacy. In the healthcare industry, providers continuously communicate with each other and with third-parties such as insurers. In the course of these communications, patients’ PHI always gets shared. However, this should be done in good faith, and in patients’ best interest.

What information is protected?

HIPAA seeks to protect all personally-identifiable health information that is either held or transmitted by covered entities. Therefore, your organization will be held liable if patients’ PHI gets transmitted illicitly orally, in written form, or electronically. This HIPAA rule protects information relating to:

  • A patient’s future, present, or past mental or physical health/conditions
  • The type of health care that was provided to patients (including lab results and clinical notes)
  • Payments relating to an individual’s health care (including billing records)
  • Demographic data and information such as name and contact details that can be used to identify an individual.

In the course of rendering its services to patients, your organization will create, store, or transmit PHI. Therefore, it’s also your responsibility to secure the information. Family caregivers may handle some of this information, but they are not responsible for protecting it the way your organization is.

HIPAA security rule safeguards

As part of its compliance guidelines, the HIPAA security rule enacted industry standards pertaining to the handling, transmission, and maintenance of PHI. The security rule applies to covered entities and their business associates. It stipulates the technical, physical, and administrative safeguards that should be enacted to secure PHI. The safeguards ensure the integrity, availability, and confidentiality of PHI. Here’s a breakdown of the safeguards.

  • Administrative safeguards

Covered entities should have written procedures and policies regarding the handling of PHI. These policies and procedures should be regularly updated so that they reflect current business processes. They should also be tailor-made to fit your organization’s scope of operation. The management and employees should be trained on the procedures and policies so that they handle PHI properly.

  • Technical safeguards

These relate to your organization’s cybersecurity stance. Organizations need to have adequate safeguards for preventing and mitigating the consequences of security breaches. Technical safeguards include firewalls, data backup, and encryption.

  • Physical safeguards

These relate to the physical site where your organization stores and transmits PHI. The area should be secured to prevent access by unauthorized individuals. It would be best to install an alarm system to secure the site.

Becoming HIPAA-compliant

HIPAA compliance may sound like an unnecessary evil, but it goes a long way in improving your data security. To become compliant, you should do the following:

  • Provide an updated training program for employees who perform administrative functions. The training program should relate to the secure handling of PHI
  • Restrict access to patients’ PHI to individuals who need it to undertake their daily tasks. Avoid leaving PHI unattended
  • Limit email communications that entail the transmission of PHI to circumstances whereby there isn’t an alternative
  • Back up PHI in HIPAA-compliant servers instead of local servers
  • Assign a role-based level of security clearance to employees to prevent unauthorized individuals from accessing information that isn’t relevant to their duties
  • Ensure that third-party vendors who access PHI adhere to HIPAA standards as well

The frequency of data breaches affecting healthcare organizations makes HIPAA compliance mandatory. As the HIPAA manager, it’s your role to ensure that steps are taken to attain, illustrate, and maintain HIPAA compliance. It’s best to keep in mind that HIPAA compliance is a complicated issue, especially if you’re doing it for the first time. Navigating on your own can be challenging, thus the need to consult an expert.

HIPAA breach notification

Even after enacting safeguards, breaches can still occur. In case a breach hits you, it’s essential to report the incident immediately to the affected individuals and the Department of Health and Human Services. You should be aware of breach notification laws in your state. Often, these laws tend to be more stringent than federal laws.

Breaches are classified as either meaningful or minor. Meaningful breaches affect more than 500 individuals. Organizations should report these breaches to the Department of Health and Human Services (HHS), the media, and the affected individuals within 60 days of discovering them. On the other hand, minor breaches affect less than 500 individuals. These need to be reported to the HHS and the affected individuals by the end of the calendar year.

What are the consequences of HIPAA violation?

If it’s established that your organization failed to abide by the HIPAA rule, you will face harsh penalties. HIPAA violations are often expensive since the penalties of non-compliance depend on the extent of negligence. You may be fined anything between $100 and $50,000 per violation. The maximum penalty for HIPAA non-compliance is $1.5 million. In some cases, violations carry criminal charges and jail time.

Final words

As the HIPAA manager, it’s essential to ensure that your organization establishes a comprehensive and effective compliance program. This will go a long way in enhancing the organization’s reputation and preventing the consequences of non-compliance. Therefore, it’s essential to attain, maintain, and illustrate HIPAA compliance at all times.









Try Premium Membership