HIPAA is the Health Insurance Portability and Accountability Act. It is a U.S. law that:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
The last two points are what I will be focusing on, this is only my opinion and you should seek council from an industry expert / lawyer in your jurisdiction.
Being HIPAA compliant – Processes, procedure, policies in today’s marketplace
Device management is key for HIPAA compliance. Fundamentals are as follows:
Each staff member is assigned a device and signs that they are accountable for it. I suggest you have an asset release agreement signed as it instills a sense of ownership and accountability. This agreement should include the device model, serial number, full name of the user, date, signature, witness, etc.
The user will have to enter a passcode to access the device. Set the passcode to wipe the device clean after ten unsuccessful attempts – this is standard if you are using an Apple device (iPod, iPad). Why do this? It is much better to lose a few hundred dollars than your client’s PHI (Personal Health Information). The fines are hefty and should not be trifled with.
Strict password governance guidelines should be set in place:
i.e. changing the passcode at regular intervals, not using common passcodes (the user’s date of birth or this year is not acceptable, nor is a common number such as 1234, 1212), most importantly, do not reuse passcodes and if the staff member believes that someone has seen them enter the code, they must change it immediately.
When the staff member has completed their session, they must logout. Simply put, an open device is an unsecure device. To ensure this it is a good practice to conduct random checks. Should you find that a staff member has ignored company policy and not logged out, you need to demonstrate that proper disciplinary procedures are followed (i.e. verbal / written warnings and then termination)… please discuss this with your legal team.
The idea here is that you are doing your utmost to protect your client’s PHI and you are following your company’s policies and procedures. If you don’t follow your company’s policies then you will not have a leg to stand on should a breach happen. You must be actively working towards compliancy all the time.