Four Steps for Warding Off HIPAA Compliance Sickness

By: In: Small Business On: Apr 10, 2015
Four Steps for Warding Off HIPAA Compliance Sickness

You could call it “The case of the $150,000 thumb drive.”

A Massachusetts dermatology practice recently paid that penalty for committing multiple violations of the Health Insurance Portability and Accountability Act (HIPAA)’s privacy and security rules. The Department of Health and Human Services (HHS) levied the hefty fine after one of the practice’s unencrypted thumb drives—containing thousands of patient medical records—was stolen from a staffer’s car.

Are you breathing a sigh of relief because you’re not running a medical practice? Well, don’t exhale just yet: In 2013, modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (often called the Omnibus Rule) expanded the law’s range to include non-medical small businesses that must also now closely follow those mandates. The penalty for noncompliance ranges from $100 to $50,000 per violation.

Because of the changes, small accounting firms, law practices and insurance brokers (HHS calls these “business associates”) must become compliance sticklers—which means getting serious about organizing their records.

Four Steps to Avoid the HIPAA Hurt

Not surprisingly, HIPAA compliance means following a laundry list of HHS directives. These include having written policies and procedures available that address safeguarding medical records and educating and training employees.

However, as the dermatology practice learned, a large part of compliance comes down to:

  • Knowing where your records are
  • Having absolute certainty they are secure
  • Being able to retrieve them quickly

Does it seem daunting to track every email (and attachment), piece of paper and important bit of information that knocks on your network’s door? Help ensure that HHS keeps its hands off of your hard-earned revenues with these critical first steps.

Step #1: Get an assist. By working with a trusted vendor, you can store all your records in one central and secure location. Any staff that handles your documents must pass through a safeguarded vetting process.

Step #2: Establish easier, faster retrievals. Tagging, indexing and classifying records makes it simple to immediately pull up the documents you need, when you need them. Even better, employ metatags to allow only pre-approved staffers access to certain documents. This level of control also helps with the new HIPAA requirement to document and account for any disclosure of a patient’s medical records.

Step #3: Erase the difference between paper and e-documents. One of the big challenges of HIPAA compliance arises when you have separate troves of paper records and electronic documents. Work with an experienced partner to put electronic and paper records under one searchable and secure umbrella.

Step #4: Shred what you don’t need; scan the rest. One of the big pushes in healthcare is to get away from physical medical records. But making the jump from paper to electronic documents can be fraught with HIPAA compliance risk if approached carelessly. Think about it:

  • What happens to your paper records after scanning? Do they just go in a dumpster?
  • Who is ultimately responsible for those reams of paper chock full of sensitive patient information?

Bottom line: Devise a plan that ensures expired paper documents get shredded and that new electronic records are secure.

Finally, you won’t find this nugget of advice among any of HHS’s tips on meeting the demands of HIPAA: Don’t keep medical records on a thumb drive—and don’t let your employees keep records in their cars.

← Records Storage: It Can Be Greener Than You Think! Media Vaulting Tips From the Arctic Circle →

Leave A Comment


About the author

René Grajales

North America Vice President of Sales Strategy and Solutions Since joining in 2007, Grajales has lead a series of changes that will forever impact the way Iron Mountain serves their customers. His passion for supporting the ever-changing needs of our clients, and ensuring Iron Mountain is a company that is extremely easy to do business with are only rivaled by his dedication to customer satisfaction. Prior to Iron Mountain, Grajales founded and managed an international import/exports logistics, warehousing, and distribution company in Latin America, held various roles in IT Consulting with EDS/HP assigned to the airline industry, and as the Director of Channels Sales and Marketing for Latin America within the Intelligroup/Empower Solutions group of companies serving ERP customers with offshore IT consulting and programming solutions. He holds a Master of Business Administration, a Postgraduate degree in marketing, as well as a Bachelor of Science in Business Administration and Computer Information Science from the University of Tampa, Florida. In addition, Grajales has attended leadership executive training at Harvard University, Boston and Northwestern University Kellogg School of Management, Illinois.