HIPAA, a well-known acronym for Health Insurance Portability and Accountability Act, was enacted in 1996 and designed to protect personal and sensitive patient information and other health information provided to healthcare professionals. In short, the four main purposes of HIPAA are: the privacy of health information, security of electronic medical records, administrative simplification, and insurance portability. Given the numerous data breaches our nation has seen in recent times, the privacy and security of personal information has become monumentally more important. If you are a smaller medical practice with few locations, the below information will be particularly beneficial for you.
So many acronyms. . .
At the heart of HIPAA law and the titles that govern data privacy specifically, we encounter PHI, also known as Protected Health Information. As mentioned previously, this takes the form of physical records, electronic records, or spoken information, all of which are given to healthcare professionals in confidentiality, and range from health records to health histories, lab results, and medical bills. Most crucially, it’s critical to note that everything that falls under the umbrella of health information is considered protected under PHI because it contains what is referred to as “individual identifiers”, or unique details that would allow an individual to be recognized. It is crucial that this information is protected, and how that is done is essential to your success as a medical practice.
While there are several ways to be HIPAA compliant with regard to client information, perhaps most important to avoid is collecting the aforementioned sensitive patient information through standard website forms. Popular examples of these website forms includes Gravity Forms, WuFoo, Ninja Forms, JotForm and Contact Form 7. With this method of collection, your data lives in your site database and can potentially be vulnerable to a data breach, even if it’s encrypted. Despite the prominence of these web-forms, there still remains the need for unshakable data security, which is why it’s strongly encouraged to steer away from the use of standard website forms, as it requires meticulous monitoring and maintenance, which is often not an ideal situation for a small or midsize practice who might not have the bandwidth to lend a watchful eye consistently. Fortunately, there is both hope and a solution bundled in one: using a third-party vendor.
As medical practices expand into more of the online world through websites and mobile apps, there is an increasing need for data security. We’ve all seen massive data breaches that have left major companies devastated, like Target. As CSO Online puts it, “Each business enterprise is only as secure as its weakest vendor.” However, each third-party vendor that stores, creates, transmits, or maintains protected health information is required to comply with HIPAA law at all times. And while vendors control the technology of data storage, ultimately healthcare providers are responsible for the privacy and security of their patients’ information at all times, as stressed by ITPAC Consulting.
When evaluating if a third-party is complying with HIPAA law, it’s helpful to make a checklist, which should include all of the points below, as outlined by ITPAC:
- Request a copy of the vendor’s HIPAA risk assessment, security policies and procedures, and their plan in case of an emergency
- Hire an IT expert with HIPAA experience to confirm that the above materials are sufficient for maximum security
- Produce written contracts that address how the third-party vendor guarantees free access to data and how it will be made available in standard format (make certain this contract is terminable in the case that the vendor and your medical practice sever ties)
- Create a system that requires the vendor to provide regular data backups of stored data in standard format
- Require the vendor to abide by security laws and all pertinent information as outlined in the HIPAA; this must be in the form of a Business Associate Agreement
- The written contract should clarify that the vendor does not have ownership of any personal data, but has a limited license for use of the data, all of which is outlined in the written contract (note: this license expires when the agreement is terminated)
- Ensure absolute clarity regarding terms and conditions of software use by the vendor, and make sure this is established before composing the final contract
- Develop a liquidated damages clause that clearly states the vendor should fairly compensate the Provider if any stored data is lost, destroyed, or breached
Being entrusted with sensitive client information is a massive and often overwhelming responsibility. Risking data security and privacy impacts the reputation of your medical practice in the eyes of your patients and their families and can be a costly legal mistake, so approaching it with diligence and great care is of the utmost importance. Ultimately, it’s wise to remove doubt about the security and privacy of your patients’ information by investing in a third-party vendor. By closely following the checklist above, you can be sure that all your bases are covered and truly focus your attention on what makes your medical practice the best in the business.