Protecting confidential information is always important. Letting unauthorized parties see personal data is bad for customer relations, and it can lead to lawsuits and loss of business. Some failures are worse than others, though, at least from a legal standpoint. HIPAA compliance is vital.
A business that stores individually identifiable medical information may be subject to the requirements of HIPAA, the Health Insurance Portability and Accountability Act of 1996, and HITECH, the Health Information Technology for Economic and Clinical Health Act of 2009. Since HITECH basically expanded and updated the scope of HIPAA, it’s common to talk about both of them together as HIPAA requirements.
HIPAA compliance originally applied only to organizations directly involved in health care, but HITECH expanded security and privacy requirements to their business associates. Any business with a substantial quantity of ePHI records needs to check whether it’s required to comply.
A breach of the security and privacy rules can result in heavy fines. In 2014 the Office of Civil Rights investigated over 15,000 complaints of alleged violations. The annual number is still rising.
Compliance requires physical, technological, and administrative safeguards to make sure there are proper limits on access to electronic personal health information (ePHI).
The business needs to control physical access to information. It has to keep unauthorized people away from places where they might see it. Workstations near public areas should never be left unattended with confidential information on them.
Technological protection includes access control and encryption. It’s mandatory to encrypt all ePHI that’s stored on a system. Contingency plans need to be maintained in case of a data breach.
On the administrative side, a business needs to control who has access to information and log its use. Training in proper handling of confidential information is necessary. It’s mandatory to report any breach promptly.
The Advocate Health Care Network recently agreed to a $5.5 million settlement after being cited for several HIPAA violations. At the same time, the Office of Civil Rights is paying increased attention to small breaches.
The effort of making sure there are no HIPAA violations may require investing some time and money, but it’s well worth it considering the potential cost of a violation. AE Technology Group’s HIPAA consulting can help to make sure you’re doing what’s required. Contact us to learn more.