Common mistakes with HIPAA compliance

By Dava Stewart

By now, all chiropractic practices have at least a passing familiarity with HIPAA (Health Insurance and Portability and Accountability Act) and the regulations and requirements the law entails.

Anyone who handles personal information must protect it, including DCs and their staffs. And even when the utmost care is taken to be HIPAA compliant, there are still areas where many healthcare practices are commonly making mistakes.

Equipment is becoming increasingly important. Technology advances make work easier and can often improve patient care and outcomes. However, there are at least two areas where technology could lead to a lack of HIPAA compliance:

Hard drives — Last year, a company called Affinity Health Plan returned some photocopiers they had leased, and personal health information was stored on the hard drives of those copiers. Affinity self-reported the incident to the Department of Health and Human Services and was fined.

Mobile devices — Mobile devices often improve the workflow in a healthcare practice. Being able to easily and conveniently carry a single device that holds all of the information necessary to provide thorough and proper care to a patient is a boon to many DCs. However, such devices can be stolen, along with the information they contain. Just as leaving a charts unattended puts a facility out of compliance, so does a tablet that is vulnerable to theft.

In addition to equipment, chiropractic offices must consider the human factor in being HIPAA compliant. People are just as important as machines when it comes to data security.

There are several areas of possible vulnerabilities concerning office staff:

Understanding HIPAA — When the staff has a clear understanding of the law and its repercussions, they are more willing to implement new policies or follow what may seem like cumbersome guidelines.

Paperwork — Although many offices are moving toward being paperless, there are still forms that must be completed or provided to patients, such as the Notice of Privacy Practices (NPP). Making sure that each file is complete is as important as making sure it is secure.

Training — Many Electronic Health Records (EHR) systems are designed to help users stay HIPAA compliant. However, if staff members are not using or are incorrectly using the EHR, then the design will not matter. Making sure that everyone knows how to use the system and that it is being fully implemented will go a long way toward keeping your practice compliant.

HIPAA is a complex law and remaining in compliance can seem daunting. However, there are tools and services that can help. Hiring an outside firm to analyze your systems may be worth the time, cost and effort. Often, EHR systems manufacturers and retailers will offer some HIPAA training. A review every two to three years will ensure your practice remains compliant.