The HIPAA Privacy Rule: Four Business Basics
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, changed the way businesses in the healthcare industry treat patient data. Today, the HIPAA privacy rule continues to be a guiding force when setting up new record systems, expanding services, or simply managing patient information from day to day.
HIPAA did not invent the idea of medical record security, but it created a federal standard to replace all the various state standards, making it easier to transfer medical information between states. HIPAA is updated as technology changes to make room for new types of data and, most notably, electronic communication - in particular as it relates the cloud and access to medical records via mobile devices.
But with the speed and simplicity that information can be shared in the digital age, liability is always a concern. This makes a working knowledge of HIPAA's guidelines essential when selecting an EMR platform, both for the privacy of your patients and the accountability of your practice.
These four points sum up the basics of this ubiquitous privacy law.
1. General Information Protection
HIPAA requires "covered entities" in the healthcare industry (those that deal with confidential patient information) to guard both protected health information (PHI) and its digital version, e-PHI. PHI includes any individually identifiable health information, which must stay confidential, accurate, and only available to the patient and other permitted entities.
To protect PHI, businesses must limit physical access to its facilities and create appropriate policies to govern who is authorized to view health data. Workstations should have basic security measures in place so people cannot simply walk in and pick up whatever information they want. This applies to all unauthorized employees.
2. Electronic Security
With the rise of electronic data, HIPAA began to focus more clearly on electronic security measures. HIPAA does not specify security measures, but all covered entities must consider the size and complexity of their security systems, the technical infrastructure, the costs of necessary security measures, and the level of risk to any e-PHI. If an unauthorized person can enter a business computer system and find private data without running into any login screens, the business definitely has security issues. Access control and integrity control are a must.
A business should also conduct security system audits to continue to improve its security capabilities. When health information is transferred to another entity, "technical security measures" must be in place to guard that data. If there is a security breach, it must be solved with new safeguards.
3. Disclosure Management and Training
PHI privacy works both ways. HIPAA, while protecting data against theft and tampering, also allows patients to have full access to all their PHI and any changes that are made to it. When medical information is used, businesses must disclose how it is used and inform patients concerning their privacy practices. If a patient wants to access personal medical records, access is always allowed, provided their identity can be authenticated.
Disclosure management between patients, other business entities, and employees themselves can become complex. The HIPAA privacy rule requires appropriate training and supervision practices in the healthcare workplace that teach employees the necessary guidelines.
4. Special Requests
Patients have the right to make special requests concerning their own PHI. They might request that health information be switched to a different address, or that healthcare organizations do not call their work phone numbers. These requests should be honored.
As technology advances, so too do the means with which to take advantage of it. As we've seen in the breaches of some of the nation's largest firms and government institutions, a continuously evolving state of security is paramount... but never infallible. So when evaluating EMR solutions: the more security, the better.Ready to Compare Electronic Medical Records Price Quotes?