(Study Programme)
HIPAA Compliance in Organizational Practices Physical and Technical Safeguards5
Administrative and Organizational Safeguards Expected from Third Party Providers5
References7
Abstract
This paper uses a given case scenario to explain the compliance of a given organization, Family Dentals, to Health Insurance Portability and Accountability Act (HIPAA) regulations. At first, the paper identifies the electronic non-electronic private health information dealt with by Family Dentals. The paper then goes ahead to identify how Family Dentals complies with HIPAA regulations in the organization’s practices and, the physical and technical safeguards. Accordingly, the paper also gives recommendations for various ways to improve on the compliance based on the two approaches. Finally, the paper delves into administrative and organizational safeguards expected from third party providers.
Electronic and Non-electronic Private Health Information
The Privacy Rule safeguards every health data and information that easily identifies potential patient. The storage and transmission of such information by covered entities may be in various forms including; paper, oral and electronic. The Privacy Rule contemplates such information as protected health information. Sample electronic information most likely stored, processed, and transmitted at the Family Dentals two offices includes; historical, current and prospective physical and mental health status, any health care information previously administered to the patients, and details pertaining payments paid or accrued by patients after receiving healthcare services. Such information should have grounds for identifying patients. The information used to identify patients in this case includes; names, contacts, dates of birth, addresses and social security numbers. It is worth noting that the Privacy Rule does not include employment information maintained by covered entities as part of protected health information (Summary of the HIPAA Security Rule, n.d.).
HIPAA compliance in Organizational Practices
The organization practices HIPAA compliance on its practices in the way it handles communication between both offices and with clients. According to the case scenario, most communication happens by exchanging emails amongst the staff and also externally with clients. The organization also practices segregation of duties whereby different departments have qualified personnel in the respective fields such as receptionists, billing clerks, office managers and the dentists. For activities in which the organization does not have the capability to handle, such as web-hosting and network infrastructure management, there is the engagement of third party professionals to render quality services. The organization can, however, make some changes in an effort to make more HIPAA compliant. For instance, there should be precautionary measures on the use of emails to prevent accidental information leaks (Tovino, 2012). Basic procedures such as counter-checking email addresses or using email alerts for confirmation by the clients goes a long way to protect private information. Another precautionary measure would be to impose boundaries on situations that warrant the disclosure of such information.
HIPAA Compliance in Organizational Practices Physical and Technical Safeguards
The organization has a VPN server that serves as back-up of patient data in the database server. In this way, patient information is always available in the event of the database server malfunction. Such is an instance of HIPAA compliance in technical safeguards. In order to improve on this, however, the organization could implement more safety measures in an effort to protect private information. Some example procedures may include; destroying physical documents with private information before disposing them off, ensuring records are always under lock and key, and putting in place access controls for keys and pass-codes. The organization should also clearly define policies and procedures for all activities that involve relocation, removal, discarding, and re-use of electronic equipment that hold private information (Summary of the HIPAA Security Rule, n.d.).
Administrative and Organizational Safeguards Expected from Third Party Providers
Third party providers should adhere to the organizations mission and vision statements. As such, they must respect the operational procedures exercised by the organization. According to Tovino (2012), security management is one of the core issues that the third party providers must maintain. The organization deals with private and sensitive information of its patients and security should be a priority with the aim of protecting such information. As such, third party providers should employ safety measures to eliminate or decrease the levels of threats and exposures to a more rational and applicable level.
References
Summary of the HIPAA Security Rule. (n.d.). Health Information Privacy. Retrieved October 28, 2014, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Tovino, S. A. (2012). HIPAA Privacy for Physicians. Pathology Case Reviews, 17(4), 160-163.