How to Achieve HIPAA Compliance

  • Study the HIPAA Final Security Rule for specifics on electronic data security and information systems requirements. If your medical facility or practice has patient information of any kind on its computers ­­ whether just one computer or an entire hospital network ­­ you must meet standards.

  • Upgrade your systems as necessary to ensure you have passwords for each individual user, and stringent firewalls. Additionally, your systems must be able to track who logs in and when; failed login attempts; logouts; and the sequence of logins and logouts on every terminal. You must track the activities of each user in each session, track system administrator actions, report security breaches immediately to responsible parties, and use the latest encryption technology, according to the most recent version of the security rule.

  • Keep paper charts and patient records in closed file folders in designated, secure locations to ensure that only authorized persons can view them. Facilities and practices deal with this in different ways. Some keep folders in out­of­sight locations in patient rooms, while others keep them at nurses’ stations. Private practices should ensure files are put away as soon as doctors and nurses finish with them. Never leave files on desks, counters or anywhere unattended where unauthorized persons can easily see and access.

  • Create rules and policies against talking about patients in locations and at volumes that make it possible for unauthorized persons to overhear. While HIPAA acknowledges that accidental breaches because of overheard conversations are unavoidable, it still mandates that medical professionals take every precaution to prevent that situation.

  • Train staff never to discuss a patient or her condition to anyone other the patient unless they have a patient authorization, power of attorney, guardian ad litem papers, or a court order on file. Medical professionals may discuss a patient’s case among themselves, but never with an unauthorized third party, even if the person is a spouse, child or other close relative.

  • Educate all users of your electronic medical records and billing systems on the precautions they must take when working on computers. They should ensure that onlookers can’t view their screens while they work; close files as soon as they are done with them; and log out whenever they step away from their terminals ­­ even if they intend to return shortly.

  • Store old patient files in locked, sealed containers that are stored in secure, dry places. If you want to destroy files after your state’s legally permissible time period, take steps to ensure that files are destroyed completely and that nothing legible remains.

  • Cover over each line of your office sign­in sheet as soon as a patient has signed in. Private practices can no longer leave clipboards with lists of patient names visible like they used to. Use something that adheres to the sign ­in sheet, like a piece of paper tape, or black out the information so there’s no chance of it becoming uncovered or readable.