Published on January 11, 2018
From all of us at Hush Communications, we’d like to wish you a Happy New Year. 2018 is going to be a busy one for us, and we’re sure you’re also putting your efforts into making the new year a productive one. In the tradition of New Year posts, we would like to suggest one multi-part resolution to focus on for your business, particularly if you’re in the healthcare field.
There is always more that you can do to improve your HIPAA compliance under the three fundamental rules regarding privacy, security, and breach notifications. By implementing a few key actions this year, you can ensure that your business is compliant in case of a HIPAA audit, and most importantly, that your patients’ and clients’ personal data is secure.
The HIPAA Privacy Rule sets out the requirements for how protected health information (PHI) may be handled over email, phone, and fax. However, it does not attempt to eliminate all risk of accidental disclosures, which could impede the the work of practitioners. A practice is considered to be compliant as long as certain safeguards are in place to guide how PHI is used and disclosed. A secure, encrypted email service such a Hushmail, is the best way to ensure PHI is viewed only by the practitioner, patient, and other authorized parties when being transmitted through email. At Hush we make this as simple as possible, allowing Hushmail users to send encrypted emails to each other automatically, and to users without a Hushmail account using a selected encryption option. Communication is seamless and secure, giving both practitioner and patient peace of mind that their private conversations will remain private.
The HIPAA Security Rule stipulates the requirements for safeguarding the confidentiality, integrity, and security of electronic protected health information (ePHI). Entities are expected to have certain administrative, physical, and technical safeguards in place to ensure that ePHI is protected from leaks, breaches, cyber crimes, and other web vulnerabilities. The best way to ensure that you are implementing the appropriate safeguards is to conduct a risk assessment. At Hush we strongly recommend that all businesses conduct an assessment any time the business undergoes a significant change, as a way of ensuring consumer confidence in the security of their data. We outlined the steps of a comprehensive risk assessment for any small business in this recent post.
The HIPAA Breach Notification Rule requires that entities inform affected individuals, the U.S. Department of Health and Human Services (HHS), and, in some cases, the media in the case of a data breach that compromises PHI. The notification must occur within a certain time frame following the breach and must include, in some detail, how the breach occurred, the types of information it affected, what is being done to remedy the situation, and what affected individuals can do to protect themselves from harm.
One of the best ways to ensure that you’re ready to comply with this rule is to conduct a data audit before a breach occurs. We recently wrote a post detailing the basic steps of a data audit as a way of ensuring compliance with the EU’s upcoming General Data Protection Regulation (GDPR). Knowing exactly what type of data is handled by your business, where it’s stored, and who is handling it will help you respond quickly should a data breach occur within your business.
HIPAA compliance is an ongoing task and at times may seem daunting, especially for a small business. However, by resolving to (1) subscribe to a secure, encrypted email provider, (2) conduct a risk assessment, and (3) conduct a data audit, you will cover the basics of HIPAA compliance and lay the foundation for a practice that is known to be secure and confidential.