HIPAA for the Rest of Us: 3 Takeaways for Any Business

It’s a standard feature of health care today: Your signature on a HIPAA form. The federal Health Insurance Portability and Accountability Act (as it’s known officially) ensures that health care providers will safeguard your personal and medical information in accordance with federal regulations. So, what does your business do to safeguard the information that passes through the doors? HIPAA might hold the answer: Your company can build an effective records management policy rooted in HIPAA principles. Start with these three takeaways:

Takeaway #1: Protect Customer and Employee Information

Your company deals with what HIPAA calls “individually identifiable information” about customers, employees or both. This includes demographic data (age and gender, for example), plus specific identifiers like name, address, date of birth, and Social Security number. You can see how the dots connect:
  • The health care sector has a regulatory responsibility to protect sensitive patient information.
  • You have a responsibility to protect the confidential business information that’s critical to your company’s competitive position. After all, your customer and employees’ information is a crucial asset for your company.
One way to protect this information is by instituting a “Shred Everything” policy in your workplace. The idea is simple: When you destroy more of the documents you don’t need to save, you reduce the risk that information will be misplaced, lost or stolen.

Takeaway #2: It’s Also about Your Vendors

Firms that provide legal, accounting, consulting, management, data transmission and billing services (to name just a few) for health care providers must also comply with HIPAA. They’re not directly involved with patient care, but they still handle patient data. What’s the connection for you? If you outsource any business operations to third-party vendors or engage any outside consulting service, you want assurance that your sensitive data is safe with them. Security makes a difference in records management, whether your data “lives” in your offices, is “retired” offsite or “visits” a vendor. Ask your vendors about their information security practices. Also ask if they hold any information security certifications. Your vendors may not need to answer to HIPAA, but they DO need to meet your security needs if they value your continued business.

Takeaway #3: Plan for the Worst

Know what’s great about NOT being under HIPAA jurisdiction? You’ll never be subject to a HIPAA audit, a fine-tooth comb federal review of your information security practices. However your company can learn a great deal from the demands of a HIPAA audit. For example, here are just a few criteria that HIPAA auditors dig into:
  • Data backup and storage procedures
  • Risk management programs
  • Recovery strategies
  • Contingency planning policies
These concerns apply to virtually any business and fall under the big question: What will your company do in the event of a disaster that threatens vital and sensitive information? For many companies, the answer (and serious peace-of-mind) lies in secure, off-site records storage. Ideally, your off-site storage provider should support “active filing,” a practice that gives you ready access to documents stored off-site.

Protect your business, protect your information. It’s worth it.

Driving effective records management in your business has costs, to be sure. But those costs are a drop in the bucket compared with your significant financial exposure if you don’t assess and reboot your current records management methods.