TechAdvisory.org

Technology Advice for Small Businesses

4 facts about HIPAA and your IT

While HIPAA’s implementation in relation to technology has been problematic to say the least, things have become much clearer over the course of the past year. However, there are still a few areas in which your office might not be compliant. This isn’t necessarily through negligence on your part, but rather simply a lack of understanding as to the requirements. We look at four facts your practice should know about HIPAA and your IT.

If you’re still confused about which parts of your IT are HIPAA-compliant and which parts need to be addressed, don’t panic. You’re not the only practice still struggling to figure out just what exactly is and isn’t compliant. Here are four important things you should know about the technology your office uses and its relationship with HIPAA.

Telehealth and mHealth are not always compliant

If your practice has invested or is thinking about investing in telehealth or mHealth, you need to make sure it is HIPAA-compliant. While most telehealth technology is HIPAA-approved, you might be required to enact one or two measures to make it compliant. An IT specialist should have no problem making sure your telehealth is up to code.

On the other hand, mHealth might be a little more problematic. While a lot of hardware and apps, including Fitbit and the Apple Watch, are HIPAA-compliant, it is a field that is still very new and constantly changing. Your best bet is to consult regularly with an expert to make sure your mHealth is following all the necessary regulations.

All info, not just EHRs, needs to be HIPAA-compliant

If your office has individually identifiable ePHI data sets on-site, including information like billing records, appointment information and test results, they must be kept on HIPAA-compliant devices and servers. A lot of medical practices that use cloud-based storage for their EHRs overlook this fact. While it’s good to have your EHRs ready to go on the cloud, make sure the rest of your ePHI data is protected as well. If it isn’t, you could be facing a fine.

Your protected health information notice must be available online

If your practice has a website, HIPAA’s rules dictate that it must contain a copy of your updated protected health information notice for patients to access. If you have a website and this information is not currently posted, you might consider getting this done in the near future in order to avoid any problems.

Healthcare business associates must also be HIPAA-compliant

It is not just medical practices, healthcare clearinghouses, and health plan organizations that are required to be HIPAA-compliant. Any other business that has access, electronic or otherwise, to protected health information is also required by law to be HIPAA-compliant. This includes any accounting or law firms you work with that may already be accessing your files electronically to carry out work. In order to avoid any potential trouble for your practice or its partners, it best to ask them if they are HIPAA-compliant. If they aren’t, cease all access to files, and make sure they take action to correct this issue immediately.

Still not sure if you’re 100% HIPAA-compliant? Our team of experts can run the necessary risk analysis, and assist in correcting any areas of your technology that may not be in line with current regulations.