Even though HIPAA regulation can seem rather complex, there are some HIPAA basics that can give you an idea for where to get started. We have provided a few key suggestions for you to use for developing your own basic HIPAA checklist.
There are various different HIPAA definitions and HIPAA basics that can help your behavioral health practice start implementing an effective HIPAA compliance program. HIPAA compliance helps ensure that the sensitive health care information you deal with on a daily basis does not become exposed due to data breaches, cyber-security incidents, or improper disclosures caused by simple human error.
HIPAA and PHI Basics
HIPAA is a set of national regulatory standards meant to ensure the security and privacy of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. HIPAA regulation identifies 18 distinct demographic indicators that are considered PHI, which include:
- Address (including subdivisions smaller than state such as street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Understanding PHI is the key to understanding HIPAA. For that reason, everything your behavioral health business does to become HIPAA compliant should be geared toward maintaining the confidentiality, integrity, and availability of PHI.
Developing Your Own Basic HIPAA Checklist
Here are a few considerations for building your own basic HIPAA checklist for building your HIPAA compliance program:
- Identify sources where PHI is maintained and implement the proper physical, technical, and administrative security safeguards.
- Identify a member of your staff to serve as the Compliance Officer. The Compliance Officer should be the point person for all compliance efforts moving forward, and will help streamline the HIPAA compliance process.
- Take an inventory of all devices that are used to access, store, or transmit PHI. Ensure that these devices and properly secured with anti-malware software, encryption, back-up, and password protection. You can also begin to craft an asset and device policy to control the use of these devices to mitigate the risk of a PHI breach. Download the free HIPAA Risk Assessment tool provided by HIT.gov to help with this process. Conducting regular HIPAA assessment is a requirement for all covered entities.
Note that even if your practice implements all of these building blocks, these are only pieces of HIPAA compliance and will not render your business compliant. In order to properly maintain the privacy and security of PHI, a total HIPAA compliance program that addresses each of the HIPAA regulatory standards must be in place.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.