Maintaining a HIPAA compliant system is crucial for any business. The Health Insurance Portability and Accountability Act specifically holds you responsible for safeguarding any health care or medical information of your clients or employees. In the event you are found not HIPAA compliant, there are legal ramifications that vary based on the severity of the offense. Penalties can range anywhere from $100 to $50,000 per violation, and if the neglect is extreme or foul play is involved, penalties can also include criminal charges and jail time. To avoid any penalties and finding your company on a permanent and public list of violations, here are a few tips to maintaining a HIPAA compliant facility.
HIPAA compliance entails technological security and also a personnel element as well. Any individual with access to patient records or who maintain knowledge of patient information should be trained on the policies and procedures on how to handle such content. Training should always be up to date, and any time there is either a personnel o systems change, this training should be revisited.
Put Someone In Charge
A specified security officer should be identified to be responsible for monitoring your organizations HIPAA status. This does not have to be an additional hire, but identifying someone who is taking charge and understands what is required to be HIPAA compliant helps at least maintain a chain of command for the rest of your employees.
Beyond the basic requirement of having your hardware locked in a specified room, it is your responsibility to show a good faith effort of securing information. In addition to being locked somewhere, it would be ideal to put this in a low traffic area to minimize visitors contact with the access point.
The use of wireless internet can open the door for people to access information who are not intended to through the network. You must have a network that is designated for people who cannot have access to privileged information. Neither guest nor any uncleared individual should never have contact with the network your secured files are accessed through. If you do not have two separate systems, at the very least, you should have a guest account on an isolated subnet.
Any system or company you use or work with should also receive proper HIPAA training. If you bring in an outside company, you can still be held responsible for any breaches as a result of their lack of security. Keep all of your associates on the same page, and always be sure that the people you are trusting maintain the same values that your company does in regard to client and patient privacy.
In the event client or patient information is stolen or improperly shared, you must identify, document thoroughly, and then report this security breach in full. Inability to identify a breach could be considered neglectful and the repercussions could result in a loss of licence. Reporting all discrepancies immediately is also crucial, and attempting to hide your security breach will result in far worse penalty fines and ramifications than the breach itself.