After four years of anticipation, 45 CFR Parts 160 and 164, or HIPAA’s Ominibus Rule as it is more commonly known, went into effect on March 26, 2013, with corporate compliance required by September 23, 2013. Omnibus puts into law many things left unclear in previous HIPAA-related rulings, including requiring business associates of covered entities to be compliant with HIPAA Privacy and Security rules and adopting HITECH Act additions to the Enforcement Rule not adopted in the October 30, 2009 interim Final Rule.
As a business associate for our clients’ programs, Telerx engages our clients’ customers in Business Associate Agreements (BAA) to comply with Omnibus, HIPAA, etc…
Both covered entities and business associates may be held liable for breaches of Protected Health Information (PHI), with civil penalties of up to $1.5 million and penalties that can be extended down to the individual who caused the breach. Criminal penalties can range as high as $250,000 and up to ten years in prison. Because of the scope and reputational damage associated with these penalties, incidents can cripple a covered entity or business associate.
At Telerx, we take pride in our ability to keep PHI safe and protected. Here are some best practices we use to maintain our corporate culture of information safety:
Unless your team is seated in an area where only they have access, your team is at risk. Visitors may be able to overhear PHI being communicated through the phone, see it on the screens of your agents, or compromise any applications and forms customers may have submitted.
One way to mitigate this risk is to restrict your team’s workspace to an area to which only they have access. Preferably with a role- and access-based FOB while allows only authorized personnel to enter. Also consider temporary walls where appropriate until construction is completed.
Paperless, Clean Desk Policy
The risks of writing down information are immense:
- Your agent may write down information that does not match what they put in the CRM, creating a duplicate record and a possible audit inconsistency.
- Legibility concerns can lead to incomplete or incorrect records when entered into the CRM.
- There is the possibility the written record gets into the wrong hands, causing a HIPAA breach.
By establishing best practices for documenting, including establishing a paperless, clean desk policy, your team can mitigate the risk of paper record breaches. At Telerx, whether our interactions come from healthcare professionals or patients, they are documented in CRMs, which are designed to allow for a paperless workplace.
Locking Up and Archiving Paper Records
However, not all paper can be eliminated – some of the programs we manage for clients involve receiving paper applications and forms. Because of this, we have implemented simple ways to reduce risk of breach.
Have your agents do the following to mitigate risk:
- Always account for all paper forms or applications and never leave them unattended.
- Designate a specific area within your access-based area to handle paper forms or applications.
- When your agents must pause their work, have them store their documents in cabinets that are accessible via lock and key.
- Have your agents lock all documents for the evening.
- Designate a retention schedule and ensure all documents on that schedule are sent for archiving with a HIPAA-compliant vendor.
Taking these steps can keep the records out of malicious hands.
Minimizing Screens, Logging Out, and Locking Workstations
Even the most secure team has visitors, whether it is someone else from the company or the client themselves. To prevent potential breaches, here are some tips to handle this situation:
- Always have your agents lock their workstations.
- Agents should also log out of the CRM each time they leave their desk to prevent someone compromising PHI at their workstation.
There are many ways to reduce the risk of breaching PHI, but implementing these simple suggestions could make your team safer and more compliant.