Medical compliance can be particularly daunting because of the complex regulations and evolving policies. An additional concern for many companies is that compliance extends beyond medical organizations. Businesses that function as a Covered Entities (billing services, life insurers, employers, public health agencies, etc.) or companies that execute a Business Associate agreement (lawyers, auditors, consultants, data collection services) must comply, as well.
If you need proof that HIPAA compliance is a major challenge, read the article, “Breaches Lead to Push to Protect Medical Data
,” published on May 30, 2011 by The New York Times. Medical breaches have resulted in the improper exposure to a staggering 7.8 million personal medical records over the last 24 months! The article details two recent examples of medical record security breaches:
- The personal information of 1.7 million patients, staff members, contractors and suppliers of Bronx hospitals and clinics operated by Health and Hospitals Corporation was breached when electronic files were stolen from an unlocked van.
- 192 paper records of patients were compromised after a hospital employee left the paperwork on a Boston subway train.
Not only are these breaches frustrating and expensive for the victims, but also imagine the consequences for the company implicated in the breach. From the negative media coverage to the expense of fines and restitution, a major breach could bankrupt a business.
That’s why I emphasize the importance of compliance with every company I advise. Five of my go-to tips are:
- Underscore the importance of compliance. Many companies still don’t know what constitutes HIPAA or FACTA compliance – don’t be one of them and learn only after you’ve received a fine or had a breach.
- Screen new hires thoroughly. Employees will have access to confidential information as part of their job functions so it is imperative to know who you’re hiring and if they have a criminal background.
- Establish a virtual office policy. Both of the breaches I cited earlier occurred when records were taken off site – ensure that employees who use laptops or transport paperwork of any kind are well-trained in security policies.
- Destroy all paperwork as soon as it is no longer needed. Paperwork containing confidential information represents a huge risk so destroy it securely as soon as you don’t need it.
- Explore outside expertise. With all of the considerations associated with running a compliant organization, you might find that an expert consultant can help you establish information security policies and train staff.
Learn more about HIPAA and how it relates to your company by downloading Shred-it’s HIPAA compliance fact sheet
. Do you have questions about making your business operate more compliantly? Please send me a question or comment.