Enacted over 20 years ago, The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers to adhere to stringent guidelines for maintaining the privacy and security of what it defines as Protected Health Information (PHI). But HIPAA doesn’t just apply to doctors and hospitals. Any business that helps a healthcare provider carry out its activities must follow HIPAA requirements. That can be difficult, so here we share our tips to help you begin the process of becoming HIPAA compliant.
Covered Entities and their Business Associates
Under HIPAA, health care providers such as physicians, hospitals, pharmacies and other organizations transmitting PHI are considered “covered entities.” In addition, businesses that store, receive, create and maintain PHI on behalf of covered entities are considered “business associates” Of those covered entities and must comply with HIPAA’s Privacy Rule and Security Rule. Among other things, each of these rules requires covered entities and business associates to implement physical, administrative and technical safeguards for PHI.
Physical protection of PHI means having a secure, off-site storage solution for both hard copy and electronic records. Don’t be fooled into thinking records stored on-site are secure. HIPAA violations as a result of insider theft are far too common.
Off-site storage of documents in a commercial records center protects PHI from internal and external threats. Advanced security systems prevent unauthorized access to documents while barcode tracking technology creates an audit trail of all file activity.
The same protection is provided for your data with an electronic vaulting service. Data protection specialists encrypt, back up, and store your data off-site in an electronic vault where the strict security measures meet HIPAA requirements.
If you’re a HIPAA Business Associate, the same care should be applied when disposing of PHI. Many Business Associates exercise proper care when storing and transmitting information only to fall short in the final phase of responsibility: information disposal. Obsolete or expired PHI should be promptly, completely and securely destroyed.
You can achieve HIPAA compliance by outsourcing your disposal to the right shredding and destruction provider. Secure collection and destruction processes help your business avoid HIPAA non-compliance and the fines and penalties that come with it. After PHI is destroyed, you should receive a Certificate of Destruction that verifies the time, date and method of destruction. The certificate serves as proof that your company is following the HIPAA Privacy Rule and Security Rule.
If your company is a Business Associate to a Covered Entity as defined in HIPAA, you are legally required to safeguard PHI. Fortunately, a secure record storage and shredding provider will help you do so.
Records Management Center provides HIPAA Covered Entities and Business Associates throughout Augusta, Evans, Thomson, and Martinez, GA, and Aiken, SC and the Central Savannah River Area with professional records management and shredding and destruction solutions. To find out how we can help your business, please contact us by phone or complete the form on this page.