22 March 2023
The life of a physician rarely allows for extracurricular studies in operational system security. However, a practice’s professional health relies on being HIPAA compliant. Even though you think you are HIPAA compliant, you have a nagging fear that your sensitive patient information (PHI) could be at risk or compromised. Time isn’t a luxury for you, and information technology isn’t your wheelhouse, so safeguarding data continues to feel like an albatross slowly choking your air supply…
HIPAA was born of a need to protect patient records, as well as to develop standards for consistency in the health care industry. Under HIPAA, organizations adhere to standards related to protecting their information systems, allowing patients to relax knowing their personal medical information will stay confidential. This act applies to any health care provider, health plan or clearinghouse (collectively “Covered Entities”) that electronically maintains or transmits health information pertaining to patients. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data.
In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which implemented stricter penalties for HIPAA violations and expands the organizations bound by HIPAA regulations to include business associates of medical offices.
HITECH act can extend up to $250,000 with repeat/uncorrected violations up to $1.5 million, criminal penalties that include not just said fines, but prison sentences as well. Non-compliant organizations stand to lose something more critical-loss of customers and business partners who recognize the bad business of those who do not sufficiently safeguard their electronic protected health information. Game over. Thanks for playing, and remember-the housealways wins…
Announced January 17, 2013, the HIPAA final omnibus rule implemented a number of new privacy protections, expanding some of the obligations of Covered Entities to “Business Associates”. These associates are defined by the Department of Health and Human Services (HHS) defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Essentially, any person or persons who has needed to access your information is held responsible. What happens when your practice experiences a simple human error and a system of safeguards isn’t in place?