Handling Medical Data? How Your Biz Can Stay HIPAA-Compliant

The Health Insurance Portability and Accountability Act, or HIPAA, became federal law in 1996. This law is written to protect the privacy of individuals by defining how covered entities, such as employees of a health insurance company or doctor's office, manage the Personal Health Information or PHI of a client. Failing to follow HIPAA can put these covered entities at risk of expensive litigation.

Technological Advances Equal Increased Risk

The PHI of any patient used to be kept in a paper folder that stayed in the doctor's office and could be physically transported to another physician for a consultation. Access to electronic record keeping has made the transport of this data simpler, but this also increases the risk of data loss, file corruption, and data theft.

In addition to managing the data effectively to avoid a security breach, physicians and their management staff also need to track who has access to the data systems and how to track record access. In the event that an employee leaves the physician's office, blocking their access to any patient data needs to be a documented part of the termination process.

Encryption and Data Protection

While protecting data access from inside the physician's office may be fairly straightforward, portable data management tools such as smartphones and tablets can present a serious security threat. With the proper encryption tools placed on all data, requiring a key or passcode to access and read, any data accessible from outside the office can be protected.

The portability of data can be both a blessing and a curse. While many have a password on their tablet and their smartphone, additional security to access HIPAA sensitive materials must be required of anyone who has phone access to client records. In addition, the physician's office will need a policy in place for actions in the event of the loss of any of these devices.

Third-Party Work on EHR-EMR Data

Many medical offices use third party transcriptionists to turn audio conversations into written data for easy transfer to another physician's office. The management of electronic medical records, or EMR, and electronic health records, EHR, to off-site third-party professionals adds a layer of risk.

Maintaining HIPAA compliance within the physician's office will need a written policy to avoid data breaches. In addition, any access from outside the office, such as by smartphone or other mobile devices, will need to be encrypted. Finally, any work done off-site by third-party transcriptionists is vulnerable at several points. For example, the

• transfer of audio recordings from the doctor's office to the transcriptionist

• a computer where conversations are transcribed to text,

• transfer of text back to the patient file, and

• privacy restrictions placed on the transcriptionist

can all be points where sensitive data can be lost, misused, or corrupted.

The best medical transcription service will hire professionals who can provide the security necessary to protect the patient's data and the physician's reputation. These services will also maintain data in a secure portal that cannot be accessed from either side without a proper password and encryption system.

Moving Paper or Hand-Written Notes via Fax

There is cognitive power in the act of handwriting. The ability to organize one's thoughts and write them down can greatly increase the ability to remember a conversation, event, or observation. Should a physician's office need to transfer hand-written notes, as well as other documentation via fax, the tool must offer HIPAA compliant protections.

The benefits of these protections can go farther than just the primary need for privacy protection. In addition to security, a HIPAA compliant fax portal can offer a data recycling bin, providing secure temporary storage of transferred data. If any data is lost, accidentally deleted or corrupted, the fax portal will hold another copy for a time. Before signing up for a HIPAA compliant faxing service, physicians and their security teams can determine the settings on this recycling feature.

Data protection is critical for the safety and security of patients. In the event of a data breach, clients may have grounds for litigation that will cost a great deal of time as well as money. Physician's offices will need to strive to be more than compliant to stay on top of patient data risk.