HIPAA Compliance Checklist: What needs to be done?

In the United States, every agency associated with the health care is aware of the HIPAA regulation. The full form of the regulation which was first drafted in 1996 is Health Insurance Portability and Accountability Act. Before we get down with our discussion on the key points of HIPPA regulation, it is imperative to understand why it is such an important federal law. Under HIPAA compliance, handling of patient information is taken very seriously. There are primarily two aspect of this regulation, HIPAA Privacy Rule and HIPAA Security Rule. While the former deals with how one can use or disclose pertinent information regarding a patient, the latter addresses the requisite standard required to safeguard electronic protected health care information or e-PHI. This infuses credibility and accountability within a health delivery system, which is important for the following reasons:

1. To maintain confidentiality, integrity and availability of all e-PHI that is either created, received, transmitted and maintained by an authority.
2. To protect against potent threats that could comprise the security and integrity of e-PHI.

Today, our work is majorly governed by the use of computers and technology. Such a trend has increased efficiency and mobility of our work force. However, at the same time it has raised potential security threats that can lead to comprise of information and loss of data. To prevent such occurrences from happening is the main premise of the HIPPA regulation.

As per the HIPPA language, the law is applied to PHI or protected health information that comprises of name, email address, phone number, photos, address and other personal information of a patient. But, the big question is who comes under the HIPPA compliance scanner. Any agency that offers health plans, establishments that facilitates and processes health information and health care providers that offer wide range of health services namely preventive, diagnostic, therapeutic, rehabilitative, counseling, maintenance etc, including sale and dispensing of drugs, equipment and device have to duly comply with HIPPA regulation.

Under the HIPAA compliance the following key factors have to be kept in mind :
1. All Patient Information must be protected and kept secured.
2. Patient information must be handled with utmost care when transmitted or shared on email. It should be ensured that the PHI is encrypted if going outside a secured firewall.
3. For remote handling of PHI files, onsite health portal should be used.
4. All laptops and desktops must be special software to prevent data theft and loss.
5. Disposals of PHI must be carried by an authorized person in a much secured fashion.

In order to efficiently maintain and protect e-PHI, the HIPPA security requires every health care organization to follow proper administrative, technical and physical set-up.
Requirements for Administrative Set up:
• Risk Management
• Risk Analysis
• Sanction Policy
• Information System Activity Reviews
• Officers
• Employee Oversight
• Multiple Organizations
• ePHI Access
• Security Reminders
• Protection against Malware
• Login Monitoring
• Password Management
• Response & Reporting
• Contingency Plan
• Emergency Mode
• Evaluation
• Business Associate Agreement
Requirement for Physical Set up:
• Contingency Operations
• Facility Security
• Access control & validation
• Maintenance Records
• Workstations
• Devices and Medical Disposal and re-use
• Media Movement
Requirement for Technical Set up:
• Unique User Identity
• Emergency Access
• Automatic Logoff
• Encryption & Decryption
• Audit Controls
• ePHI Integrity
• Authentication
• Transmission Security
Additional Requirement under HIPPA Security:
• Website security
• Email security
• Skype
• Fax
• Text Messaging

These are some of the key elements that will ensure that one’s organization is sincerely adhering to HIPPA compliance. The U.S department of health and human services takes HIPAA compliance quite seriously. Recently, it has made tougher penalties for violations of HIPAA act. Penalty can be anywhere between $100 to $1.5 million depending upon the severity and nature of penalty.