HIPAA compliant practices are following the guidelines in the following laws:
Health Insurance Portability & Accountability Act (1996) and HIPAA Privacy Rule (2003) protects ALL identifiable patient information – written, verbal, electronic (PHI). The Security Rule (2005) protects electronic Protected Health Information (ePHI). The HITECH Act (2009) funded electronic medical records and changed HIPAA and now the HIPAA Omnibus Final Rule released January, 2013.
Do you understand everything involved in order to be in compliance with these laws? Consider these six points:
- The data breach law has changed. For example, proof of ‘harm’ is no longer required and loss of a device is presumed to be a breach, with few exceptions!
- Protected Health Information is identifiable and includes treatment and/or diagnostic information
- Electronic Protected Health Information is PHI in electronic form and include words, images and voice files on any media.
- You practice is a “covered entity” under HIPAA. Providers that bill electronically — doctors, hospitals, dentists, chiropractors, physical therapists, nursing homes, pharmacies, labs etc.). Payers, Medicare, insurance, Self-insured businesses of any type and Clearinghouses are also “covered entities.”
- You are also responsible for your “Business Associates” even though they are NOT Covered Entities the DO come in contact with PHI and ePHI. Examples include Shredding Companies, Paper Records Storage, IT companies, EHR vendors, copier vendors, lawyers, accountants, collections agencies, etc.
- Don’t forget about these NEW business associates – data centers, online backup companies, Cloud vendors. They are your responsibility even if they only ‘maintain’ data — even if they don’t look at it and even if it is encrypted, in locked cabinets, or in sealed boxes.
Recent HIPAA Penalties to PRactices like yours included:
- $ 100,000 for sending patient data through online mail
- $ 1.5 million for a lost laptop
- $ 1.7 million for a lost backup drive
- $ 50,000 for a lost laptop
Resources you can access online:
|Resource Type||Document / Location||Source|
|Guide||NIST SP 800-30 Risk Management Guide for Information Technology Systems, July 2002||http://csrc.nist.gov/publications/PubsSPs.html|
|Guide||NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule||http://csrc.nist.gov/publications/PubsSPs.html|
|Instructions||How to submit notice of a breach of PHI to the Secretary of HHS; more information about HIPAA||www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html|
|Guides||Additional guidance on how to meet each of the statute requirements.||www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html|
|Guide||HIPAA Security Guidance Document for Remote Use, from HHS and OCR.||www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf|