How does an agencies HIPAA practices stack up to the governments?
Agency have their interpretation of HIPAA compliance. I have worked with hundreds of agencies. They know that because they signed Business Associate agreements with carriers, they are legally required to be HIPAA compliant. But, they usually fall well short of what is required. This could lead to HIPAA breaches and fines that could damage your agencies reputation and put you out of business.
So, how does an agencies HIPAA practices stack up to the governments?
Agencies version of compliance:
- lock the door at night
- fill out authorization forms
- maintain business associate agreements
- encrypt PHI emails
- require computer passwords
The government’s definition is broader than yours and is a moving target. As the industry transforms and new technologies are used, their definition becomes more challenging.
Currently their definition includes:
- perform risk analyses 164.308(a)(1)(ii)(A) – Many agencies that I consult with have not used an independent party to review their policies and procedures to determine their vulnerability to a HIPAA breach.
- document safeguards and how you handle PHI 164.316 – Some have documented parts of how they handle PHI, but few have all the necessary required HIPAA documentation.
- train staff regularly 164.308(a)(5)(i) – Training is usually interpreted by agency owners as something only their agent/brokers get. Reality is anyone who can access PHI should be trained. This usually means the entire office.
- email, server and mobile device encryption 164.312(a)(1)(iv) – It amazes me today how many insurance professionals are still sending us employee census with no encryption.
- assurances of subcontractor compliance 164.308(b) – Agencies will have business associates with all their carriers. But many falter in not having with cleaning company, shredding service, or IT consultants.
- and much more – This is only the tip of the iceberg. New rules and recommendations are released every year.
How can you ensure you are up to speed with the government’s definition of HIPAA Compliance?
1. Perform a HIPAA risk analysis.
2. Document how your office handles PHI.
3. Train your staff regularly on HIPAA related issues.
4. Develop a spirit of HIPAA compliance.
5. Become a GRA PHI365 client.
If you would like to see how you stack up against the government’s HIPAA compliance, fill out this survey or contact us.