Understandably, the first of the year presents its fair share of challenges for healthcare professionals and organizations. For many of us, especially during the first of the year, it is easier to keep tabs on our day-to-day duties, and forget about compliance.
Instead of thinking of compliance as once and done or something to address if needed; we put together a list of 5 tips you can do to help you and your organization in 2019, and beyond.
Policies and Procedures Require Review
Review of policies and procedures is often forgotten. It is easy to think of policies and procedures as something that is there if needed, or something to reference as needed. Just because your policies and procedures are created, doesn’t mean you are “in compliance.” Your policies and procedures require periodic review – at least once per year or as updates occur.
Change your Passwords
A recent security study found that weak login credentials, including passwords, were among the top causes of data breaches last year. Approximately 76 percent of attacks on corporate networks involved weak passwords. We can’t emphasize enough the importance of periodically changing your password with a password that is at least 6 characters in length (preferably 8 or more), a combination of alphabetic, mixed case, numeric and punctuation characters, and most important, a password that is difficult for hackers to guess.
Tip: If you haven’t changed your passwords in a while, please do so. We highly recommend not sharing your password with anyone, and not writing passwords down and leaving them in areas that are visible and/or accessible to others.
Ensure Proper Safeguards are in Place Before Communicating Electronically
Everyone in your organization has a responsibility to ensure health information is protected. Likewise, everyone in your organization has a responsibility to ensure only minimal necessary information is shared electronically to the intended recipient. You should include a disclaimer on emails and faxes that notifies the recipient of the insecurity of email or facsimile, and provides a contact to whom the recipient can report a misdirected message.
Tip: Always use a fax cover sheet whenever you send faxes containing any sensitive or protected health information. The cover sheet should identify the information contained in the transmission as being confidential, as well as reminding the recipient that any review, dissemination, distribution, or duplication of information contained in the communication is strictly prohibited. This disclaimer language should also be included in your emails as well.
Properly Dispose of, or Store, PHI When Not in Use
The HIPAA Privacy Rule requires covered entities to apply appropriate administrative, technical, and physical safeguards to protect the privacy of health information of PHI, in any form. This means, you must implement and follow reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, in connection with the disposal or storage of such information.
Tip: When destroying PHI in paper records, we recommend shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. You may also maintain PHI for disposal in a secure area that has limited access and is not accessible by the general public. When ready, you may use a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. Do not throw documents containing PHI in the trash can.
Complete the Entire Breach Notification Process
How many of you have logged a suspected breach on a breach log? Has that suspected breach been properly researched and mitigated? Have you electronically submitted the report to the Secretary of Health and Human Services (HHS)? Simply logging the breach and notifying the affected individual doesn’t mean you are in compliance. The breach must be researched, mitigated, and reported properly.