12 tips to make your business HIPAA compliant

A common myth among small to medium-sized businesses is HIPAA compliance only matters for hospitals, clinics, nursing homes, healthcare providers and the like.

Unfortunately, if your company has employees, you probably hold information that falls under HIPAA guidelines. You have health information you are required to protect. If you don’t protect it, you could be subjected to fines that could push your business into the red.

But as a business, you are not only responsible for health information but also for other kinds of private data that, if in the wrong hands, could severely hurt you, your associates and your business. We’re talking about billing records, client lists, W-2s , W-4s, insurance enrollment applications and so on.

So what are the actions you should take as a business to protect your data and to be HIPAA compliant?

To answer this question, we sat down with Bridget Gatewood of Total Compliance Connection, an Oklahoma City-based human resources services provider, and together came up with these preventive measures businesses can take to protect their sensitive data.

Here are some of the tips we came up with:

1. Protect your private copied and printed material.
Do your human resources department and other associates share a copier? If so, you might consider devoting only one copier to that department so what happens in human resources stays in human resources. But if you are a small business and can’t do that, be sure you don’t leave private information on the glass after using the photocopier or on the tray after printing. Retrieve it right away, especially material carrying personal information like social security numbers and such.

Image of hard drive. Before your hard drives leave your possession, always make sure they have no private information on them.

2. Secure your copier hard-drives.
Did you know an image of every document passed through a copier is saved on its hard drive? That includes W-2s, medical insurance forms, identification cards, passports, workman’s compensation paperwork — everything. That’s why it’s so important to learn from your copier leasing company its policy concerning copier hard drives once the lease is up and the device is hauled away. Do they erase the hard drives before redeploying to the next client? Can you keep the drives when they take the machines? Do they destroy the hard drives? If the latter, they should hand you a certificate of destruction, verifying the drive has been rendered useless and your data is safe. Just so you know, as part of our standard procedure for preparing copiers for deployment to a new location, R.K. Black erases their hard-drives. If a client requests the hard-drives, we will give them drives for a fee to reimburse us for the cost of replacing the drive. Also, as part of the document destruction services we offer, we destroy hard drives on location, thanks to a unit purposed for that on our mobile shredding truck.

Related Reading: Document Security: Shredding alone doesn't cut it

3. Watch your fax machine.
Much like the first tip above, if you and other associates share a fax machine, you might want to keep a close watch on the fax so you can grab the material as soon as it comes through. In addition, when using a fax machine or the fax function on a copier, make sure when sending personal information that only the eyes of the person meant to see it will see it.

4. Back up all of your private and personnel information.
Disasters happen and like other businesses here in Oklahoma, we know all about that. We’ve got tornados, micro-bursts, floods, blizzards and more recently, earthquakes. For businesses, that means all of those personnel files can in one second be safe and dry in a locked file cabinet and the next second, strewn about everywhere and open to the elements. That’s not even talking about fires and other misfortunes that may befall a business. That is why it’s so important to back up your private files, client records, etc.

5. Label and seal personal documents dropped in open office mailboxes.
If your workplace has open, unlocked mail boxes for your associates, when placing documents with personal information in those boxes, make sure you seal them in an envelop and label the envelope “Confidential.”

6. Implement a security policy for private document transportation.
This helps ensure private documents placed in transport from one person to another, either through a courier or, say, a fellow associate who just happens to be going that way, to get to intended destination in a safe and timely manner. You might consider requiring the delivering individual carry a sheet to be by signed by the receiver, confirming the materials arrived at their intended destination securely, much like how you sign for registered mail delivered by the USPS.

Image of files and folders in office space. Never throw away your private documents. Shred your personal papers when it's time to dispose of them.

7. Never ever throw away private documents when time comes to dispose of them.
Destroy your documents. Shred your sensitive papers. Many companies have been greatly damaged by information discarded improperly, leaving sensitive information open to identity thieves, competitors and so on. Again, while those businesses handling health information will be fined under HIPAA, businesses not handling such information, but other sensitive documents can come under the hammer of the FTC. For example, in 2007 the federal agency fined a mortgage company $50,000 for tossing credit report information in a dumpster. FTC Chairman Deborah Platt Majores reiterated the importance of proper document disposal, then saying “Every business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal.” She continued to say that the agency “will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers’ personal information.” As mentioned above, R.K. Black offers a mobile shredding service where our clients can watch their documents get destroyed before their very eyes.  We recommend always going with onsite shredding service as opposed to offsite due to these reasons.

Related Reading: Onsite vs. Offsite Shredding: What's the difference and what's best?

8. Never leave private information unsupervised in an unsecured location.
This goes for paper files, computers, thumb drives, mobile devices, etc. A car, for example, is not a secure area — so don’t leave a banker box full of HR files or a laptop with private information overnight in your trunk. Your car could be stolen, broken into or vandalized, and that information taken.

9. Always password lock and encrypt your electronic devices containing confidential information.
Applying to the former and current points, you don’t want to place your company in the same boat as this hospital that was fined more than $1.5 million in 2011 after an unencrypted, password-protected laptop was stolen from an associate’s locked vehicle, exposing the health information of 9,497 individuals.

10. Lock your computer and secure your desk when you step away.
If handling private papers or information on your computer at your desk, make them inaccessible when you leave, even for a second. Make sure your computer is password protected. When you leave your computer, for a restroom or coffee break, let’s say, make sure the computer locks so no one can access it while you’re not looking. Any personal information on your desk, lock it away as well.

11. Mind your conversation and privileged knowledge.
Loose lips sink ships. Be careful not share private information to those whom it is not of their concern. This isn’t just about avoiding gossip, but is about considering the space and those around you when sharing information to even authorized personnel. Nurses have lost their jobs for sharing patient information to a doctor where another individual overheard. Use a private space. Close the door. Speak in low tones. By the same token, just because you know an associate is having surgery doesn’t mean that associate wants everybody else to know. Sometimes what happens in the workplace is a person undergoing treatment and coworkers think it might be a nice gesture to send a “get well” card or flowers. While well intended, the attention may be undesired and may in fact make for a more unpleasant experience for that individual. If you want to send a company, or department-signed card, make sure the associate is fine with everybody knowing.

12. When using public Wi-Fi, use a VPN or use your own mobile hotspot even the one on your phone, if it is so equipped. It’s very easy for hackers to “tap your line” so to speak, when you use public Wi-Fi. By using VPN when on public Wi-Fi, your connection is encrypted, blocking outsiders from seeing your information.

Related Reading: How to protect your network and data, despite your public wifi-using remote workforce

Hopefully, you find these pointers helpful in keeping you, your business, your associates and your data safe, secure and HIPAA compliant.

More Related Reading:

10 largest HIPAA settlement fines

4 reasons to protect your business with data backup now

About R.K. Black, Inc.

R.K. Black, Inc. is an Oklahoma City-based, family-owned leading provider of office technology solutions to small and medium-sized businesses in Oklahoma and Kansas. We specialize in everything business technology from copier, fax, printer and scanner technology to document management, onsite paper shredding services, VoIP phone systems and managed IT support to video surveillance solutions.

If you want to learn more about us, feel free to explore the website, read our other blogs or click the button below to be contacted by one of our reps and tell you! Also, be sure to keep watching our social media channels on Facebook and Twitter for more business tips from our blog.