3 HIPAA Compliance Best Practices to Better Serve Health Care Customers

Doug Parent

By Doug Parent, CEO and Co-Founder, RingRx

Partners: Do the health-care organizations you work with do everything they can to protect patient records and maintain HIPAA compliance? Probably not. In 2017, there were 477 health-care breaches affecting 5.6 million patient records. Over the past few years, attackers have focused heavily on medical records for their high value and because the security infrastructure surrounding them is typically less sophisticated than what’s guarding financial information.

Unfortunately for those that have failed to maintain compliance, many HIPAA violations result in multimillion-dollar financial settlements that leave the offending health-care organization reeling. Fresenius Medical Care North America settled its case with OCR for $3.5 million. Memorial Healthcare System, which was penalized for insufficient ePHI access controls, was charged a penalty of $5.5 million. Providers understand the urgency.

Fear of a financial hit isn’t the only reason customers must maintain HIPAA compliance, of course. Proper data handling, security and communications procedures can make healthcare organizations more efficient and enable them to provide better service to customers. In truth, setting up the right processes now is crucial to seeing the healthcare business grow into 2019 and beyond. And, being compliant with HIPAA may even help with GDPR, say experts.

Here are a few HIPAA compliance best practices that every health-care organization should follow:

Best Practice #1: Perform an Internal Audit and Use Compliance Technologies

Before you can help a customer improve, you as a trusted adviser needs to know what the organization’s current compliance practices look like, what assets you will be able to leverage and which weak areas need to be focused on. Evaluate every aspect of the organization, from how they store patient information to how patient communication is organized and secured.

A risk assessment following a specific process is a core requirement for HIPAA-compliant organizations. While most health-care companies have run risk assessments, they might not be using the findings in as many of their technology buying decisions as they could be. This makes an assessment an excellent tool for you as a partner to make educated suggestions. Ask to see their most recent risk assessment and make sure it recommends services that are HIPAA-compliant. Since this information is coming from a third-party, it will give your technology recommendations much more authority.

Not only should their assessments determine how damaging a data breach could be to the organization, it should also evaluate what time and resources are being used to maintain current compliance standards. This internal audit will help identify areas for improvement and create new compliance protocols.

Compliance software can be a major benefit for monitoring and maintaining compliance standards. That’s why 41 percent of health-care organizations in one recent study say they plan to …

… increase their investments in software and technology to support compliance. Most importantly, the right solutions can also cut down on the time and resources expended to stay compliant, improving how the organization operates and saving them money.

Best Practice #2: Educate and Train Employees on Compliance Protocols

If you want to see the protocols you suggest succeed, you need buy-in from the busy doctors, medical professionals and other staff that will be responsible for day-to-day implementation. Most MSPs and VARs focus on the organization’s IT department and don’t spend enough time working with the people who will be directly handling PHI and communicating with the clients. According to Verizon’s 2018 Data Breach Investigations Report, 17 percent of data breaches are caused by employee errors. A doctor calling a patient on a non-HIPAA-compliant phone system or a nurse emailing sensitive information is enough to leave the organization vulnerable to theft or penalties.

Creating clear compliance protocols and educating employees is the best way to make sure patient information is safe. This responsibility should not fall solely on the health-care organization; after all, they depend on your advice. Here are some measures to put into place:

Best Practice #3: Use HIPAA Compliant Technology

Unfortunately, auditing the health-care organization and educating employees on how to protect patient information won’t address every vulnerability. The fact is, 56 percent of organizations experienced a data breach caused by a third-party vendor, according to a Ponemon study. During your HIPAA risk assessment, you should identify any third parties that have access to the organization’s information or infrastructure. Evaluate each of the solutions, especially those related to patient communication, to make sure they’re HIPAA-compliant.

During this evaluation, make sure to reach out to the vendors and inquire about their own security protocols. They should be very open about this information. Also look for solutions that offer a BAA (business associate agreement) to confirm they satisfy HIPAA regulatory requirements and share liability. The right partners should be able to handle PHI security on their end so that you and the organization have less work and less worry about third-party risk.

While every health-care organization needs to maintain basic HIPAA compliance, partners with a vertical specialization have an opportunity to provide them even greater value. By following these best practices, you can offer organizations more piece of mind, implement more efficient protocols and help save them time and money.

Doug Parent is the CEO and co-founder of RingRx, provider of a HIPAA-compliant phone system for doctors, therapists and clinicians. Follow them on Twitter at @RingRx or email Doug at [email protected] to learn more about channel partner and reseller opportunities.