The health care industry, like many others, is increasingly moving away from paper-based systems to relying on new and evolving technologies to deal with cases and claims, share health information (including radiological, pharmaceutical, and pathological), and carry out myriad other clinical and administrative services and functions.
With the increased digitization of processes and information comes an increased risk in potential data privacy and security breaches for individual patients, health care professionals, and organizations.
HIPAA (the Health Insurance Portability and Accountability Act 1996) was established in the United States to protect an individual’s personal health care-related information. All HIPAA guidelines relating to the development, management and storage of certain health information becoming legally enforceable in 2005.
These guidelines include the HIPAA Privacy Rule and the HIPAA Security Rule, the first rule establishing national standards for the protection of certain health information, with the second rule establishing a national set of security standards for protecting certain health information held or transferred in electronic form by organizations called “covered entities.”
The following is a brief overview of HIPAA requirements for covered entities and their business associates.
Who are “covered entities?”
Broadly, the HIPAA Privacy Rule applies only to “covered entities” (being health plans, health care clearinghouses and certain health care providers who transmit health information in electronic form), and the “business associates” they use to carry out their health care services and functions.
What information is protected?
Broadly, all individually identifiable health information a covered entity or their business associate creates, receives, maintains, or transmits in electronic form (e-PHI) is covered by the HIPAA Security Rule. Electronic data includes information that is faxed, printed, copied, or emailed (including lab reports, insurance claims, consent forms and patient records).
HIPAA compliance: Key physical and technical safeguards
Physical safeguards include maintaining:
Limited facility access/authorized access procedures.
Policies concerning the use and access to workstations and electronic media.
Restrictions on transferring, removing, disposal of, and reusing electronic media and e-PHI.
Technical safeguards include:
The use of unique user identification, emergency-access procedures, automatic logoff, and encryption and decryption processes.
The preparation of audit reports, or tracking logs, recording access activity.
There are a range of other technical policies for HIPAA compliance dealing with, for example, integrity-of-data controls, IT disaster recovery, and device, network, or transmission security against unauthorized access to e-PHI.
Health care professionals and the need for a data protection strategy
Covered entities, and their business associates, need to meet an increasing demand for e-PHI while protecting that same information and meeting HIPAA compliance requirements.
It is vital that these organizations continue to maintain, review, and upgrade their data protection systems and solutions to protect e-PHI – while allowing the secure sharing and storage of such data.
Ways to do this include implementing, maintaining, and periodically auditing, reviewing, and upgrading (as required):
A data/document management solution that can store, track, and report on use and access to e-PHI that is scalable for the organization’s needs and can incorporate unique user ID and encrypted access processes.
A regular and ongoing risk analysis program covering the organization’s data security management processes.
An organization-wide culture of compliance regarding data privacy and security.
Data security policies and procedures for the organization (including business continuity, disaster recovery and off-site data backup).
A system of appropriate authorization relating to access to e-PHI, and ongoing training and supervision of the organization’s workforce who deal with e-PHI – with appropriate sanctions for those who fail to abide by the organization’s policies, systems, and processes.
Business associate contracts.
Find the full text of the regulatory standards here.
The increased use of non-paper-based systems for patient care has huge privacy and data security implications for individuals, health care professionals, and health care industry organizations. It is vital for health care professionals to know their obligations under HIPAA.
View the original article, click here.
Webatron Internet Solutions, Inc can help you become HIPAA Compliant. Visit our Security & Compliance page.