Have you checked your HIPAA compliance for your medical billing department lately? Risk analysis followed by an ongoing risk management program is essential for compliance and an on-site walk through is a great way to get a picture of where you are at.
The Health Insurance Portability and Accountability Act (HIPAA) mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information (PHI). HIPAA requires covered entities to get satisfactory assurances that their business associates are compliant. Outsource Receivables Incorporated, as a professional full service medical billing provider, is keenly aware of HIPAA compliance throughout the many services provided. Protecting our clients information and ensuring that we are using best practices for physical and electronic transmission of information is critical. Moreover, having all staff properly trained and regularly reminded of processes and policies keeps ORI and our clients in compliance.
Having HIPAA compliance processes in place and regularly revisiting them is the only way to be assured that you are compliant. An important component of preparing for a potential HIPAA compliance audit is to conduct a “walk through” to make sure privacy and security policies and procedures are practical and effective. We recommend a HIPAA compliance walk through on a regular basis. Conduct your own on-site walk through using the HIPAA Compliance Check List. This process is critical to ensure that your written policies and procedures are the actual business rules by which you run your medical billing department.
Administrative Safeguard Recommendations from Health and Human Services
- Security Management Process. A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures,and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Policies and Procedures and Documentation Requirements
- Documentation. A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
- Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).