Tip One: Establish Privacy Policies
One of the first things you can do to get on the right side of HIPAA requirements is to establish privacy policies. These policies need to be enforced and implemented properly, but they should also be documented carefully. In the event that the privacy policy is violated in some way, a record of that violation should be made immediately.
Online privacy policies have taken center stage as social networking sites and search engines have recently come under fire for sharing user information. Even if you think your business is too small to merit a privacy policy, the Better Business Bureau advises that if you have a website, you will benefit by having a comprehensive privacy policy.
“Privacy policies are about transparency and are key to building trust between your business and your customers,” said Alison Southwick, BBB spokesperson. “While it’s easy to get intimidated by the scope and legalese, the bottom line is, you will increase consumer confidence in doing business on your website if you have a clear privacy policy.”
When drafting your website’s privacy policy, BBB recommends using simple language to answer the following five questions:
- What information do you collect? – Outline the types of personal information that you collect from customers. This includes home address, e-mail, phone numbers and credit card numbers.
- How do you collect the information? – Websites collect information from customers in many different ways. Even if you don’t actually sell goods through your site you might have an e-mail sign-up for a newsletter, an application for credit or install cookies on the visitor’s computer to track their activities. Disclose how data is being collected to show you have nothing to hide.
- How do you use the information? – Include background on how you share customer information with third parties such as to process orders. If you sell customer information to marketers, explain what information is sold and how it could be used.
- What control does the customer have over their personal information? – Customers need a way to contact your business and control their personal data, whether it’s changing a password on their account or taking their name off of a mailing list. Plan to include a direct phone number or e-mail address that customers can use to manage their information.
- How do you protect the information? - Explain how you protect customer data including, but not limited to, website encryption, limiting employee access to sensitive customer data, and server security.
There is no cookie-cutter privacy policy. Your business is unique and your privacy policy should reflect that. Seek legal guidance before you finalize your policy. You are legally liable if you fail to abide by your privacy policy statement or if the statement does not comply with local and national laws.
As your business changes, so should your privacy policy. Plan to revise your policy as your web activities evolve and alert customers when you make revisions affecting their personal data.
For additional free advice on keeping customer data safe visit BBB’s Data Security -- Made Simpler.
Tip Two: Ongoing Risk Assessments
HIPAA compliance is not something you can simply worry about one time and forget about. Compliance requires ongoing monitoring and adjustments, so regular risk assessments are a wise idea. By looking for potential risks within your system, you can make adjustments and improvements as needed to ensure compliance over time.
Tip Three: Dealing With Email
How are you going to handle security when it comes to email? Are you going to be able to encrypt all messages sent to patients with private health information? While you don’t necessarily need to send encrypted messages in order to remain compliant, you should inform all patients about the risk of using email for gathering health information and protect yourself by utilizing a compliant Email solution.
Tip Four: Mobile Devices
In the age of mobile devices, it is more important than ever that your practice have a specific set of procedures in place for gathering and storing health information. While there are plenty of advantages to be enjoyed through the use of mobile devices, they also present unique challenges due to their portability. If you are going to use mobile devices in your practice, it is essential that a plan be in place for their management and control – specifically for mobile devices leaving the confines of the office.
Find out more about threats to your mobile device here.
Tip Five: Investigating Breaches
It is possible that, despite your best efforts, you may experience a data breach that requires review. There should be a protocol in place in advance that can be enacted when there is concern that a breach has taken place. Once an investigation is undertaken, the process and outcome of that investigation need to be carefully documented. Important lessons can be learned from ANY breach that can be used to update and improve your existing privacy policy.
Tip Six: Training Is Essential
Perhaps no single part of the HIPAA compliance process is as important as training. If employees are not properly trained in the execution of procedures, your privacy policies may fail. All employees need to be trained on HIPAA compliance, and on how it will be implemented within their role as part of the practice. Training should be standard for any new hires that come into the facility, and it should also be refreshed from time-to-time as policies change and practices are adjusted.
There are serious ramifications for falling short in terms of HIPAA compliance, but you won’t have to worry about that matter when you have Accessible Compliance on your side. With a staff of professional and experience healthcare professionals on our team, we have all of the experience and knowledge necessary to position your practice well within the limits of the HIPAA guidelines. Please feel free to contact us today to learn more about what we have to offer.