Is Your Medical Office’s IT HIPAA Compliant?
HIPAA compliance should be a top priority for all medical practices. Originally signed into law back in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is designed to enhance the privacy of healthcare patients by requiring practices, which are referred to as covered entities, to follow certain rules.
HIPAA Audits are on The Horizon
The Office of Civil Rights (OCR) conducts random audits of covered entities to ensure they are compliant. Earlier this year, St. Elizabeth’s Medical Center in Brighton, Massachusetts agreed to pay a settlement of $218,400 for alleged HIPAA violations. Jocelyn Samuels, director for the OCR, said the medical facility failed to properly analyze security risks when using an online document sharing program to store and access data containing Electronic Protected Health Information (EPHI).
While the OCR has already conducted its first round of audits for 2015, a second phase is expected to begin within the upcoming months. Therefore, it’s critical that medical practitioners and other covered entities to brush up on their HIPAA compliance.
HIPAA Privacy Rule
The most important elements of HIPAA are the Privacy Rule and Security Rule. As the name suggests, the Privacy Rule pertains to the access, use and storage of Protected Health Information (PHI). It lays out rules for the manner in which covered entities are allowed to disclose PHI, and it provides guidelines on administrative steps covered entities must take to keep PHI secure.
Each covered entity must designate a worker to be the Privacy Officer. This person is responsible for maintaining compliance with the HIPAA Privacy Rule, as well as training other workers on the nuances of this Rule and what it entitles.
HIPAA Security Rule
While the Privacy Rule covers all forms of Protected Health Information, the Security Rule specifically addresses Electronic Protected Health Information (EPHI). As technology becomes more and more commonplace in the healthcare setting, laws must be updated to protect the privacy of patients, such as the case involving the HIPAA Security Rule. If your medical practice stores patient files on a computer network, for instance, you must take meaningful and appropriate measures to ensure it is protected against hackers and unauthorized access. Failure to do so could result in a fine or other penalties if you are ever audited.
Among the details included in the HIPAA Security Rule are various safeguards, such as physical safeguards, technical safeguards, and administrative safeguards. A physical safeguard is any tangible measure that can be used to enhance the security of EPHI (e.g. locked doors, privacy screen protectors, window film). Technical safeguards, on the other hand, consist of intangible measures to enhance the security EPHI (e.g. encrypted files, unique user identifications, firewalls). Administrative safeguards involve the use of administrative procedure to enhance the security of EPHI.
Hopefully this will give you a better idea of HIPAA and how to ensure your medical practice is compliant. Many IT providers don’t understand how critical an issue this is for the medical industry. Fortunately, as a TechWorks customer, your HIPAA compliance is regularly audited and assessed by our team. You can rest assured that our team places top priority on the security and safeguarding of your ePHI.