The Health Insurance Portability and Accountability Act (HIPAA) was originally implemented to protect people from losing health insurance if they changed jobs or had pre-existing health conditions. However, more recently it is being used to reduce the cost and administrative burdens of healthcare transactions and to develop standards and requirements to protect the privacy and security of personal health information.
According to the privacy and security rules, healthcare organizations are required to adopt processes and procedures to ensure the highest degree of patient confidentiality. Patients expect their information to be secure and depend on healthcare practices to ensure it.
Personal Health Information or PHI can be created, transmitted and stored through various formats such as verbal or written commitments, over computer software or hardware and various other forms which all need security and confidentiality to be implemented. PHIs may include various patient health records like lab results, medical history and even personal information like name, birth date, social security number, email etc. Such information can be easily used to create identity theft.
This is where HIPAA comes in. Its main objective is to keep all the records safe. A covered entity under it may not use or disclose protected health information unless a patient explicitly authorizes its disclosure in writing. However, in some cases disclosure without prior permission is allowed-
- If the disclosure is to any individual that has been authorized by the patient
- If it is for treatment, payment or general health care operations
- If the individual has the opportunity to agree or object to a disclosure
All practices are required to provide patients with a Notice of Privacy Practices or NPP. The NPP must notify patients of the uses of PHI as well as the disclosures that the practice may make. The notice should define the patient’s rights to access and amend their medical information. The individuals have the right to review and obtain a copy of their protected health information, except in certain circumstances. Reasonable fees may be imposed by the practice for the cost of copying and fulfilling the patient’s request.
It must be ensured that when a PHI is disclosed, the minimum necessary information to accomplish the purpose of the disclosure request is used. Practices must identify those employees who need to exclusively access PHI to carry out their job. PHI should ideally be limited to a “need to know” basis. For non-employees, the amount of PHI must be limited to what is specifically needed to accomplish the work. Ethical obligations and a good sense of judgement must be employed at all times.
The HIPAA security rule requires covered entities to implement the administrative, physical and technical safeguards to ensure that medical information is stored, received and transmitted in a safe and secure manner.
Administrative safeguards require practices to create and maintain updated policies and procedures for employees to learn and follow to help maintain the security of PHI.
Examples of policies are-
- Acceptable use policies to help train employees of their access rights and responsibilities with handling PHI
- Sanction policies are needed to discipline employees who violate HIPAA law
- Information access policies grant appropriate access to computer workstations, health records and transactions and other programs or processes
- Security awareness training must be implemented so employees are trained and reminded of policies and procedures relating to software updates computer log in monitoring, password updates and other key security measures,
- Contingency planning so adequate preparation, policies and procedures are in place in order to respond to an emergency like a fire, vandalism, other natural disasters, an incident and emergency response plan must be created, tested and revised and all critical activities must have a designated owner
Technical safeguards are in place because practices need procedures and the right software and equipment to protect PHI. Such safeguards must implement technical policies and procedures to allow access to only those people who need access to do their jobs and should incorporate encryption and decryption in backing up, restoring and transmitting electronic patient information. Policies and procedures must be set up to destroy PHI when it is no longer necessary to fulfil a job or function.
Physical safeguards are implemented to protect the location and devices within your practice. Facility access controls must be created and all access must be monitored. It is important to understand and monitor who is accessing the practice and security measures are put in place prior to and after a potential incident. To administer these safeguards, HIPAA requires that every practice designate a HIPAA security and HIPAA privacy officer-it can be the same person, if appropriate. These two people play key roles in leading the implementation and training of HIPAA requirements for your practice. Enforced by the office of civil rights, a division of the health and human services, penalties can be up to $50,000 per penalty per violation and increase up to $1.5 million per identical penalty. Civil and criminal penalties may apply, depending on the offence.
With HIPAA’s omnibus rule, covered entities were expanded to include a practice’s business associates-auditors, consultant, IT companies, etc. So now, when a doctor takes notes in a medical chart or an assistant enters health information into a report or online program discussing a patient’s condition, any entity that also is in contact with this information is now governed under HIPAA. The rule requires that the updated business associate agreements are executed between the practice and all business associates.
In order to make your practice’s compliance with HIPAA smooth and efficient, employ GRC management tools like VComply. VComply ensures that your organization is meeting its compliances regularly. You don’t need to worry about constantly keeping a check on your compliance needs- VComply does all that for you, making your work much easier. Especially in the healthcare sector where policies are constantly being updated, such a software can be of immense help in keeping your practice right on track, both legally and organizationally.
It is of utmost importance to do everything necessary to protect a patient’s private information and to comply with the HIPPA Security and Privacy Rules. Besides the hefty fines levied, the practice’s reputation is at risk if any violation of the HIPAA law occurs or if patient information is compromised. Therefore, it is your duty to contribute to a commitment to developing a culture of compliance and data security for your practice.
It is advisable to report any suspicious activity to your supervisors as soon as possible. As long as you have your patients’ best interests at heart, your mind can be at peace with the HIPAA laws.Add to favorites