If you are a behavioral health care provider, you must understand the Health Insurance Portability and Accountability Act (HIPAA) compliance and data security. HIPAA was created to protect the privacy of clients' health information, and providers who do not comply with HIPAA can face stiff penalties. In this blog post, we will discuss the types of information protected by HIPAA, data security basics, and tips for protecting your agency's confidential information.
What Information is Protected by HIPAA?
As a behavioral health care provider, you have a legal and ethical responsibility to protect your client's confidential information. HIPAA mandates the protection of certain personal information, called Protected Health Information, or PHI. PHI includes:
Names
Dates (excludes years)
Telephone numbers
Geographic data, such as GPS coordinates
Fax numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate numbers
License numbers
Vehicle identifiers/serial numbers
Vehicle license plates
Web URLs
Device identifiers/serial numbers
Internet protocol (IP) addresses
Full face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code
Data Security Basics
To protect client PHI, we use data security best practices. HIPAA data security involves three main components: physical safeguards, administrative safeguards, and technical safeguards. Each is critical to the overall security and reliability of the PHI.
Physical safeguards for PHI are any physical methods, rules, and procedures used by a covered entity to safeguard its electronic information systems as well as associated buildings and equipment from natural and environmental calamities and unlawful intrusion.
Administrative safeguards are procedures, policies, and regulations that allow a covered entity to manage the choice, development, implementation, and maintenance of security measures to protect electronic protected health information while also controlling the conduct of its employees in connection with the protection of that data.
Technical safeguards are technology and procedures that protect electronic protected health information and control who has access to it.
Data security best practices can be quite complex. The standards that apply to your agency will be highly dependant on the types of data you store, how it is stored, who needs access to it, and more. For more information on HIPAA-compliant data security, click the links below:
Tips to Protect PHI
There are a few simple steps that you can take to protect your clients' PHI and keep your agency HIPAA compliant:
Encryption & Storage
At a minimum, all data containing or even potentially containing PHI should be fully encrypted using HIPAA-compliant encryption software. This includes much more than just what is stored on your hard drive. Emails, texts, and any other type of sharing or communication that occurs from or to your company must be encrypted. All computers, mobile devices, even IoT devices must use encryption if they send or receive these sensitive messages. This also means using a free Gmail or Yahoo account to send work emails that contain PHI is not allowed. You must only use services that guarantee encryption sufficient for HIPAA standards. You should also have a disaster backup and recovery plan in place in case PHI is lost or destroyed.
Basic and Advanced Level Security Features
Everyone knows that passwords protecting PHI should be extra strong, right? Wrong. You'd be surprised at how easy most people make their passwords, no matter what type of information that password is protecting. Don't allow weak or easy passwords for access to company-held PHI. Require varying capitalization, special characters, and numbers for employee passwords, and require that they be changed at least quarterly, if not more often.
Take data security a step further with two-factor authentication (2FA). When most people think of 2FA, they think of those pesky emails or texts with a code to enter to verify your identity. While many companies do still use this 2FA method, many are now going to authenticator app services and even physical keys for 2FA verification. We highly recommend a combination of very strong passwords changed often with a physical ID verification key for access to any computer that contains PHI. Physical keys can be of many styles, including various USB types, Lightning ports, nano keys, biometric, NFC, and more.
Employee Training
One of the most important things you can do to protect your clients' information is to ensure that all of your staff members are properly and thoroughly trained on HIPAA compliance and data security. HIPAA requires that all staff members who have access to protected health information (PHI) receive training on HIPAA compliance. You should also have a written HIPAA compliance policy that all staff members must sign. HIPAA refresher training is also highly recommended every few years.
Strictly Monitored Limitations
Another important step you can take to protect your clients' information is to limit access to PHI to only those staff members who need it. You should have procedures in place to ensure that only authorized staff members have access to PHI, and you should limit the amount of PHI that is shared with any one staff member. All PHI access should be logged and timestamped. Using networked electronic storage of PHI makes logging access easy.
HIPAA Compliance is Essential
HIPAA compliance can be complex, but it is essential to protecting your clients' information. By using the steps outlined in this blog post as a starting point, you can help to ensure that your clients' information is protected and that you are in compliance with HIPAA. Be sure to follow all the guidelines set forth by the Department of Health and Human Services as applicable to your agency and operations.
HIPAA-Compliant Cloud-Based Documentation for Behavioral Health Agencies
Take the hassle out of making sure the documentation for your behavioral health agency is HIPAA compliant by using our fully HIPAA-compliant, cloud-based documentation system built with security in mind – ConnectCare™. For more information on how ConnectCare can make documentation, EVV, billing, and payroll easier for your agency, contact Jeff Wilt at jeff@connectcareonline.com or by calling (614) 734-4719.