Not Afraid of HIPAA…. YOU SHOULD BE! (Part 1 of 2)
As HIPAA, along with all of its guidelines, acts, rules and acronyms associated with the various dates can seem very overwhelming to most, in this article we will attempt to cut to the core of the matter and try to be a clear-cut as possible. We, under no circumstance, claim that this article contains every aspect to do with HIPAA or its various rules, regulations or stipulations. Consider this article to be the “movie box summary” of why you should be concerned with HIPAA and why, if you are in the medical field, you should be doing everything in your power to comply.
Given that Fuse is a Managed Service Provider, we will focus on the IT security portion of HIPAA specifically related to the privacy and Omnibus rules. Since 2013, HIPAA has been sending shock waves through the Medical and IT industries. In our trade specifically, there have been some cases in which our HIPAA advisors have stated that if we have clients unwilling to comply that they should no longer be a client as they are putting their own business at extreme risk, as well as ours as the MSP! When hearing that we thought it was a pretty over the top thing to say, that is, until looking up news articles where both the medical practices and IT firms were forced to face the music and pay very large fines.
Although HIPAA has been around for some time now, and many in the medical field have been doing what they can to follow best practices, there has been a sense in the industry that a HIPAA violation was like tearing the tag of a mattress and no fear of consciences was ever felt. That all changed in 2013 after the Omnibus rule. These days, if you’re in the medical field, or any variation of it where your clients are called “patients”, and you don’t have a healthy fear of HIPPA or have not made the appropriate changes, you should be doing so at lightning speed!
We have all heard about data breeches such as those big box retailers where millions of records were released, and despite the fact they faced fines, these breaches happen so often we have almost grown numb to it. Quite honestly, what you need to think to yourself is do you have a bank roll as large as a national box retailer? In one instance, 412 patient records were stolen and the associated fine/settlement was $650,000. Let that sink in. Only 412 records and the price tag was $650,000 – that’s $1,578 a record! Ask yourself, if that happened to your business or practice, what would the outcome be?
The Scary Stories……Yep They Are Real!! (These are just a few)
Important Acronyms, Dates, and Brief Definitions:
HIPAA: Health Insurance Portability and Accountability Act; established August 21, 1996.
PHI: Protected Health Information
EHR: Electronic Health Records
CPOE: Computerized Order Entry System
ePHI: Electronic Health Protected Health Information
Security Rule: Effects PHI (Protected Healthcare Information); establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Established on April 21, 2003 with a compliance date of April 21, 2005 and for smaller plans on April 21, 2006
HITECH: Health and Information Technology for Economic and Clinical Health; established February 17, 2009, This legislation anticipated a massive expansion in the exchange of electronic protected health information (ePHI). It also addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. It increases the potential legal liability for non-compliance; and it provides for more enforcement.
Final Omnibus Rule: Strengthens the patient privacy protections compliance date Sept 23, 2013. This rule modified HIPAA guidelines in regards to privacy, security and enforcement.
Business Associate Agreement (BAA): The HIPAA Rules generally require that covered entities (Medical Professionals) and business associates (BA) enter into contracts to ensure that the BA will appropriately safeguard protected health information. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA, based on the relationship between the parties and the activities or services being performed by the BA.
In all honesty we don’t enjoy writing an article of this nature, which scares. The reality behind it is we find that many in the medical industry are just not concerned with securing their IT environment. Or it is felt that we, or whoever your IT provider may be, are just trying to sell you on something YET AGAIN. Worse yet, we find push back because it is not always easy to secure an IT environment without changing the process and procedure of your business and sometimes this is not always accepted or easily swallowed by the staff involved. However, security, unfortunately, is an unfriendly balance: the more secure the environment, the less user friendly.