Since April of 2003, OCR has received over 213,561 HIPAA complaints.
Are you reading that title and thinking to yourself, “that sounds familiar, but I’m not sure what it is?” If you are, that is likely because you are used to seeing the acronym HIPAA. All healthcare professionals are aware of this term because it creates a foundation for many of your office processes. Though it is likely you are familiar with this Act, do you know what it means, and why it was created?
Why was HIPAA created?
HIPAA was first passed in 1996 by Health and Human Services (HHS). The Act’s creation, at the time, was mainly to improve “the portability and accountability” of coverage by health insurance providers between job transitioning. The other goals of the Act were to protect insurance from waste, fraud, and abuse.
From here, and all of the initiatives to simplify the administration of insurance, came the shift for health records to begin to be computerized. We jump ahead to 2009 at this point, where the HITECH Act, or Health Information Technology for Economic and Clinical Health, is brought to life along with Meaningful Use. Now this act covers business associates, companies like MicroMD, and covered entities that are involved in the use or disclosure of PHI, or protected health information.
Who is obligated to follow HIPAA?
The encapsulating term for the individuals who must follow HIPAA rules are called “covered entities.” Covered entities includes health plans, most health care providers (this includes doctors, clinics, nursing homes, pharmacies, and nursing homes), and healthcare clearinghouses. As stated earlier, other third party vendors that have access to patient PHI are also included under HIPAA and will need to adhere to their rules and regulations.
What does this mean for my practice?
HIPAA revolves around the following rules: the HIPAA Privacy Rule, the HIPAA Security Rule, Breach Notification Rule, the Omnibus rule, and the Enforcement Rule. Each of these rules breaks down different standards and procedures that will be important to different individuals at your office. For example, the HIPAA Privacy Rule dictates that patients have the right to access their medical records and a practice must provide them within a 30 day period. This rule also enable “business associates” to have access to PHI, and made it necessary for doctors to obtain consent before providing patient information to some third party entities.
Common HIPAA Violations
If you or a member of your practice violates or fails to comply to HIPAA rules, there are penalties and fines that may accrue. The following five are some of the most commonly violated HIPAA rules and standards…
- Risk Analysis Failure –HIPAA requires that covered entities and business associates complete a regular risk analysis to identify vulnerabilities within practices and/or businesses.
- Lack of Encryption – Now, with this violation, it is important to note that encryption is not a mandatory requirement of HIPAA. With that being said, many breaches of ePHI have resulted from practice not encrypting information.
- Error in Disposal of PHI – When it comes time to “rid” your practice of PHI, it must be “unreadable, indecipherable, and otherwise cannot be reconstructed.” There are different processes that must be followed for both paper and electronic records.
- Security Awareness Training Failure – Everyone, covered entities and business associates alike, is required to undergo security awareness training. This needs to be done regularly.
- Risk Management Failures – As a risk analysis is completed, any risk that is identified will be subjected to a HIPAA risk management process. If this is not completed, the covered entity or business associate is breaking a fundamental requirement of HIPAA Security Rule.
When is the last time your practice did a routine risk analysis? What risks did you come up with? Let us know in the comment section below.