Quick tips for behavioral health practices
HIPAA compliance is an important aspect of running a behavioral health practice, as the mismanagement of privacy measures could result in significant consequences for both patient and provider. Similar to the popular healthcare mantra, “an ounce of prevention equals a pound of cure”, taking proactive measures to maintain compliance is a lot easier than managing the consequences of a breach. The following are a few tips for practices interested in guarding against future troubles.
1. Perform ongoing structural risk assessments
How secure is the practice in a physical sense? Can protected health information (PHI) on a computer monitor or on a paper form be viewed through an outside window or from the waiting room? How audible are sensitive conversations to the areas in which non-authorized individuals have access? Also consider the possibility of a physical break-in. Do computers have password protection unique to each user? Are paper records secure?
Many believe the biggest threat to privacy is cyber attackers, but in fact, the majority of breaches are the result of structural compromises or user mistakes.
2. Understand the capabilities (and limits) of technology solutions
Numerous technology solutions are designed to work in tandem with HIPAA requirements by providing secure messaging, encryption, and other desirable feature sets. Some EHR solutions maintain PHI in a secure, cloud-based environment to ensure that even if your laptop is stolen, your patient’s information will still be safe because none of it was stored locally on the device. Such utilities do quite a bit to serve HIPAA compliance, but they can’t do everything. Ultimately, the responsibility falls on the practice itself.
To learn more about how technology helps but does not guarantee HIPAA compliance, click here.
Email is still commonly used by behavioral health practices. It is important to understand that most email providers are not designed around HIPAA requirements, and practices must be realistic about the risks. Provide adequate disclosure of the potential security issues, receive acknowledgement from patients before moving forward, and always discourage communicating PHI through unencrypted channels.
3. Create an effective documentation process for phone calls and texts
If a call with a patient is taken outside the office, what kind of protocols are in place to ensure it is reflected in the practice’s documentation? The same goes with text messages. Often the strongest determining factor in resolving legal disputes is the quality of documentation. Any care-related communication through voice calls or texts, no matter how seemingly brief, must make it into the patient chart.
4. Have a defensible protocol in place should a breach occur
HIPAA breaches can still occur, even with strong prevention measures in place, but having the right protocol in place will help mitigate the problems that result. If a breach occurs, be prepared to describe the breach to the patients affected, including what specific PHI was compromised. Describe corrective action and come up with preventive measures to guard against future breaches of a similar nature. Finally, keep in mind that communication must be in written form unless patients have expressed consent that electronic communication is acceptable.
Maintaining HIPAA compliance requires active participation from providers and staff. Proactively guarding against potential breaches will go a long way in protecting patients and practices from the fallout of a breach.