HIPAA’s been the law of the land since the mid 1990s. But too many companies are still struggling with compliance – particularly in the area of protecting personally identifiable information (PII) from public release.
The penalties for failing to safeguard PII are severe – and would be personally devastating to most individuals who are convicted of a criminal offense under HIPAA. Specifically, anyone who knowingly obtains individually identifiable health information or leaks PII to another person is subject to a fine of up to $50,000 and up to a year in prison. If that individual does it under false pretenses, it’s a $100,000 fine and up to five years in prison. And if it’s done with the intent to sell, transfer or use that PII, you’re looking at a $250,000 fine and up to 10 years in prison.
It’s critical, then, for leaders at all levels of the company to develop and rigorously enforce a plan to comply with HIPAA’s privacy rules.
Here are the fundamentals to keep in mind when developing your plan.
- Documentation is Key. Employees make mistakes from time to time, and a rare few will be crooked. But if you document your HIPAA training and compliance procedures in writing, that can go a long way to limiting the damage if an employee is found in breach of the law.
- Integrate Across Departments. HIPAA isn’t just an HR issue. It affects everyone. Your IT department, in particular, should be intimately involved in your HIPAA compliance effort. IT will ultimately be responsible for developing and implementing a password and file protection protocol, and for helping your employees use Outlook settings and other software features to minimize the chance of accidentally forwarding sensitive information by email.
- Audit Your Subcontractors. You are responsible for the actions and non-actions of your subcontractors and vendors. If you routinely handle sensitive information, you must take steps to protect that information from contractors and vendors. Or, if that is not possible because of the nature of your business with that vendor, ensure that they are at least as vigilant about HIPAA compliance as you are.
- Don’t Neglect Physical Security. Areas in which workers have access to sensitive files should be segregated from common areas, and access to sensitive areas restricted. Only employees with a need to work with that sensitive information should have unescorted access to these areas. Files not actively being worked on should be locked away – with strict accountability enforced for key access.
- Shred Documents. Identity thieves have been known to go through garbage bags outside of companies looking for sensitive information. Invest in a number of high-quality shredders to destroy documents that are thrown away before they leave your secure areas. It’s not enough to have a box of documents that will be shredded later. Shred unneeded documents as they are identified.
- Create a Culture of Privacy. This starts from the top. Management should rigorously enforce privacy standards, every time they walk around the office. Junior employees won’t do it for you. Senior management has to set the example and hold middle management accountable, while giving them the training and resources they need to comply.
- Turn off the AutoComplete Function on Outlook or Other Email Clients. This will help minimize the possibility that your employees will accidentally include an unauthorized individual when sending a document to someone with a similar name or email address. Many large employers have more than one Jones, Smith or Garcia. Disabling autocomplete forces the employee to type out the entire email address.
- Sterilize files. Managers often need to access certain information, such as employee census documents or payroll records. Make these available for those who need them but with personally identifiable information, such as names, health insurance documents, Social Security Numbers, dates of birth and other potentially sensitive information stripped out of the spreadsheet as appropriate.
Get some help – Or Invest in Staff. HIPAA compliance is almost never a core business competency for anyone outside of compliance consultants and people looking at the issue full-time. Because of the ubiquity of HIPAA issues and the severity of potential penalties for noncompliance, this is an important issue to warrant getting some outside help. Alternatively, you may want to invest in some formal training and coursework for key members of your HR and IT staff. These people should be senior enough to get their voices heard throughout the organization. Furthermore, management should take steps to ensure that the employees tasked with shepherding your company’s HIPAA compliance effort get all the support they need. This includes office space, time to train other employees, adequate training facilities and materials, a budget for needed equipment such as servers, routers and shredders, and time to maintain a HIPAA compliance binder to track your efforts.