Medical Privacy and Security - Did You Say HIPPO?
So, who is included? Basically, anyone who transmits or receives medically-related information electronically, principally insurance claim information, is considered a covered entity. Since virtually all medical entities now send insurance claim information electronically, just about every practice and medical entity is covered.
HHS has done a reasonable job of publishing information in a form that is useful to smaller entities. Unfortunately, many smaller entities have to one degree or the other taken the "ignorance is bliss" approach. I tend to mentally check off the HIPAA violations I see as I go into various practices as a patient, and they are numerous. As an example, I was sitting in an exam room some months ago, and noticed that the PC in the room had the login information to the EMR (Electronic Medical Records) system stored in the browser. Any patient sitting there waiting a long time for the doctor could have logged in and browsed.
Aside from the risk of causing problems for their patients, the HIPAA regulations do have teeth. Fines for violations start small at $100 per individual violation, but can go up to $50,000 per violation for uncorrected willful neglect. Criminal charges can also be pursued in extreme cases. The good news is that HHS has been too busy to do much enforcement for small entities, but it is best not to assume that lack of attention will continue.
While I cannot do a complete review of HIPAA in a short blog entry, I want to hit the high points. HIPAA is broken down into two rules: Privacy and Security.
The Privacy Rule relates to the protection of patients PII (Personal Identifying Information) and medical records. This rule is primarily aimed at paper records, or those stored in an in-house EMR system. Its major purpose is to define and limit the circumstances under which patient information can be disclosed. Among the specific requirements of the privacy rule are the following:
Develop privacy policies and procedures - This involves the creation of specific rules, consistent with HIPAA requirements, that govern how a particular practice will handle privacy matters.
Privacy official and contact - Each covered practice must designate a privacy official, and a contact to handle consumer inquiries or complaints.
Training - Practices must train staff and volunteers on their rules, and how to follow them.
Data safeguards - Each entity must have appropriate protections in place to make sure that no unauthorized disclosure of information takes place. These might include storing paper records under lock and key, and shredding information that is disposed of.
The Security Rule is primarily focused on the protection of electronic patient information. HHS refers to this as e-PHI (Electronic Protected Health Information), which they define as "all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form." It does not apply to health information transmitted orally or in writing.
The specific requirements of the Security Rule include the following:
Risk Analysis - An entity must conduct a risk analysis, helping to identify what their potential exposures are, and how to address them. This risk analysis must be maintained on an ongoing basis. This is often overlooked by smaller practices, but it is critical in the event of a alleged incident to demonstrate that the entity was making a strong compliance effort.
Security Officer - the rules require the appointment of an official security officer to oversee ongoing security compliance.
Access Control - Access to data must be restricted to those with a specific need, based their role. For example, the office employee responsible for appointment scheduling would not necessarily need access to specific patient medical information.
Training - As with the Privacy Rule, employee training on security rules and practices is required.
Assessment - A regular evaluation is required as to how well security policies are being following, and are working.
Physical Safeguards - Facility access must be appropriately limited, and policies and procedures to properly restrict access to individual workstations must be in place.
Technical Safeguards - A variety of technical safeguards must be in place, including: access control to systems and data; audit trails; integrity controls to ensure that unauthorized changes to data do not take place, and that proper backups exist; and transmission security, such as strong encryption measures.
Business Associates - Other organizations that provide services to covered entities must be agree to observe the same safeguards as the entity.
So, if you are a covered entity with concerns about how well you are following HIPAA requirements, the following are some suggestions about getting started:
Perform a risk analysis, document it, and keep it on file. You can get help from an outside company as needed.
Designate security and privacy officers. This is easy - select people in your organization to be responsible for these areas, and so designate them. They don't necessarily need special training or experience, they just need to be the people with whom the buck stops. Put their names and designations on your web site and in your literature, so it is clear to the world that you are on top of the requirements.
Do a security review. Take a look at your security procedures and systems compared to industry best practices. Identify deficiencies, and fix them. Again, this is an idea area to get outside help. HHS has published a good checklist to help with this.
Train your team on privacy and security policies.
Hopefully either the importance of protecting your patients or the potential for fines and criminal charges has convinced you of the importance of full compliance. If not, think about how you would feel if your personal medical records were accidentally released. That alone should push you over the edge.