# 1 – EMAIL
This one is an easy check. If your practice email ends with @gmail.com, @yahoo.com, @hotmail.com, @att.net, etc. you are NOT HIPAA compliant. If your email is through your hosting provider (Godaddy, ENOM, etc.) it is more than likely NOT compliant. If you are unsure, send us an email and we will help you figure it out.
# 2 – WEBSITE COMMUNICATION
Your website is usually not a contributor to HIPAA violations. Although this changes when you have contact forms or other questionnaires on your site that request Protected Health Information (PHI). If you do not manage your website personally, be sure to ask your website developer or provider about this. Contact forms are fine, but if you are seeking to sign new patients up online or ask them specific health information, your site needs a Secure Sockets Layer Certification (SSL Certification). This is a relatively simple fix and well worth avoiding a fine.
# 3 – FILE AND PHOTO SHARING
Internal files, newsletter exports, happy patient photos and the like all need to be handled securely to avoid a breach in HIPAA requirements. Sharing between team members via personal email is a big no-no. Having a secure local server with team access or a compliant cloud storage service will make internal sharing much safer and easier to manage. Dropbox is NOT HIPAA compliant; I specifically mention this one because many clients have used Dropbox under the assumption that it is indeed compliant. There are inexpensive options available if you do not currently have a system in place such as Box.net.
The above is from our newsletter, here is some more to consider about HIPAA and maintaining proper compliance
# 4 – TWO-FACTOR AUTHENTICATION
This simply means requiring two forms of verification before allowing access to your software. We protect client email with an authenticator application that prompts them with a text message before allowing access to email on a new device or computer; requiring your phone unlock code before you can enter your email password is the same idea. Doing so protects vital information in the event someone is able to access your device or software with your username and password by denying access without the additional authenticating tool. Once implemented it is a lot less complicated (and less annoying) than it sounds.
# 5 – BUSINESS ASSOCIATE AGREEMENT (BAA)
HIPAA rules require the maintenance of valid BAA with anyone who is not part of your covered entity (your practice and active employees). Any person who may have access to, or potential access to PHI would need an agreement signed; this includes anyone who accesses, maintains or monitors your server or cloud. It also includes anyone who creates your newsletter and has access to patient information, email accounts and websites. If you have an outside company cleaning your office…you guessed it, they need to have a BAA in place.
# 6 – ADMINISTRATIVE SAFEGUARDS
Training. Training for doctors, admins and team members. Everyone in the office needs to have an understanding of the rules and regulations as well as maintain yearly refreshers on how to keep your practice compliant. Training is available in person or through online programs at a very reasonable price.
# 7 – PHYSICAL SAFEGUARDS
Keep it behind lock and key. Anything that is physical in your office that main contain PHI needs to be secured in a locking drawer, file room, etc. When physical records are no longer needed, dispose of them properly through a company like IronMountain that provides services to properly dispose of sensitive information. Paper items can be shredded in the office but computer hard-drives, flash-drives, CD’s and servers need to be properly erased and destroyed so that the information cannot be recovered.
Remember – HIPAA violations can reach a maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million, which underlies the importance of building and maintaining a HIPAA compliant practice.
As always, if you have a question or just need us to point you in the right direction you can call us at 919.371.2776 or email firstname.lastname@example.org