Maintaining the security of your patients’ records is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act compels the Secretary of the U.S. Department of Health and Human Services (HHS) to assure that the Department’s regulations provide security and privacy of patient’s health information.
Electronic Storage and Transmission in 2018
Since the passage of HIPAA in 1996, new technology has taken the management and sharing of patient health information from its reliance on paper to its reliance on electronic storage and electronic information systems for insurance pre-approvals, claim processing and medical record sharing with other healthcare professionals.
Medical practices have been quick to adopt new technology. They appreciate the ease of physician order entry (CPOE) systems and the convenience of electronic health records (EHR). Almost every aspect of today’s medical practice utilizes electronic transmission or storage. Prescriptions are sent electronically as are radiography records. Second opinions are deeply dependent on the electronic transmission of the patient’s records.
With this explosion of electronic record transmission activity, has your practice provided sufficient network security to assure that you are in compliance with the HIPAA Security Rule?
What Do the HIPAA Security Rules Require?
Simply put, medical practices are required to protect every patient’s health information that is “created, received, used or maintained” by the medical practice. These are broad requirements. The HHS has issued Guidelines and Risk Assessment Tools. Medical practices should ensure their IT provider has a clear understanding of the HIPAA requirements. It’s not just enough to make sure that patients’ personal information like Social Security number is secure. All patient medical records plus electronic messaging must be safeguarded.
Physical safeguards apply to your equipment at your office. You must protect the equipment and provide safeguards against natural and environmental hazards plus protect against unauthorized access. These physical safeguards usually apply to employees’ homes or other locations where they remotely access the EPHI.
The medical practice is required to have a recovery plan in the event of a man-made or natural disaster. Security must be maintained while allowing physical access for IT personnel. This will vary from facility to facility. Large organizations like a surgical center may be required to post guards while small offices might need their staff on the premises.
Not only do you have to conform to HIPAA guidelines in your office but also on mobile apps like remote use of the e-PHI, health information transmitted over mobile apps and understand the threats of ransomware.
What If You Experience A Breach?
Federal regulations are clear and will be costly for your medical practice. Briefly, here are the steps you’ll need to take immediately:
- Fix hardware/software issues immediately to stop the leak of health information.
- Report to law enforcement authorities including FBI. You may be told not to make the breach public to allow authorities time to investigate.
- Report any threats made to you immediately.
- Inform the Office of Civil Rights (ORC) as soon as a breach is detected (within 60 days) if 500 or more persons’ data is compromised.
- You must report the breach to the Secretary of Health and Human Services.
Consequences to your Medical Practice
Of course, you’ll have the financial costs for mitigating a HIPAA breach. They include additional IT expenses, legal expenses, the cost of credit monitoring plus hefty fines and penalties.
Medical breaches can’t be fixed like a financial breach is fixed. Should a patient’s blood type or serious drug allergy be altered on their health record, they could suffer life-threatening side effects from a blood transfusion or allergic reaction to a drug.
A potentially bigger consequence is the loss of your practice’s reputation. Can you afford to lose patients? Can you afford the risk of lost referrals?
Contact Xecunet and allow us to give your electronic records system a HIPAA checkup and see if you are protected against HIPAA security risks.