HIPAA for the Rest of Us: 3 Takeaways for Any Business
It’s a standard feature of health care today: Your signature on a HIPAA form. The federal Health Insurance Portability and Accountability Act (as it’s known officially) ensures that health care providers will safeguard your personal and medical information in accordance with federal regulations. So, what does your business do to safeguard the information that passes through the doors? HIPAA might hold the answer: Your company can build an effective records management policy rooted in HIPAA principles. Start with these three takeaways:
Takeaway #1: Protect Customer and Employee InformationYour company deals with what HIPAA calls “individually identifiable information” about customers, employees or both. This includes demographic data (age and gender, for example), plus specific identifiers like name, address, date of birth, and Social Security number. You can see how the dots connect:
- The health care sector has a regulatory responsibility to protect sensitive patient information.
- You have a responsibility to protect the confidential business information that’s critical to your company’s competitive position. After all, your customer and employees’ information is a crucial asset for your company.
Takeaway #2: It’s Also about Your VendorsFirms that provide legal, accounting, consulting, management, data transmission and billing services (to name just a few) for health care providers must also comply with HIPAA. They’re not directly involved with patient care, but they still handle patient data. What’s the connection for you? If you outsource any business operations to third-party vendors or engage any outside consulting service, you want assurance that your sensitive data is safe with them. Security makes a difference in records management, whether your data “lives” in your offices, is “retired” offsite or “visits” a vendor. Ask your vendors about their information security practices. Also ask if they hold any information security certifications. Your vendors may not need to answer to HIPAA, but they DO need to meet your security needs if they value your continued business.
Takeaway #3: Plan for the WorstKnow what’s great about NOT being under HIPAA jurisdiction? You’ll never be subject to a HIPAA audit, a fine-tooth comb federal review of your information security practices. However your company can learn a great deal from the demands of a HIPAA audit. For example, here are just a few criteria that HIPAA auditors dig into:
- Data backup and storage procedures
- Risk management programs
- Recovery strategies
- Contingency planning policies