The following may sound silly to you, even seem insulting given that the Health Insurance Portability and Accountability Act, or HIPAA, was signed into law in 1996. Unfortunately, every time another HIPAA breach occurs and another Covered Entity or Business Associate has their name posted on the HIPAA “Wall of Shame”, we are reminded of areas of the HIPAA Privacy and Security Rules we have ignored or overlooked.

Here are some basic HIPAA Requirements:

  1. Notice of Privacy Practices (NPP) should be posted in the facility and on the website, list the Privacy Officer, or contact person for the organization, and must be dated NO LATER than 2013. Final Omnibus Rule updated the NPP (enforcement date of September 23, 2013).
  2. Secure all Protected Health Information (PHI) and electronic Protected Health Information (ePHI). It’s not good enough to have your server in a server closet. Unless the server room remains locked at all times, and is not doubling as a storage room, the heart of your business is dangerously compromised. Papers containing PHI and computers containing ePHI MUST be secured (locked) and stored properly.
  3. Business Associate Agreements need to be signed and dated post Omnibus Rule (2013 or later), with all third parties accessing the organizations PHI. This includes software vendors, storage facilities, consultants, interpreters and any third party contractors that would have access to PHI on any level.

Do not think security incidents, or worse, breaches, can only happen to others. Put in place what is expected (and required) for the HIPAA Privacy and Security Rules.

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!