What is HIPAA and what is it for?
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a law which seeks to protect sensitive patient data. Under HIPAA, healthcare providers are not permitted to provide a patient’s personal information to anyone unless the patient specifically allows them to or requests for them to do so.
Who is required to follow HIPAA?
Most healthcare providers are required by law to protect patient information. These entities include:
- Physicians and Urgent Care Clinics
- Hospitals and Emergency Healthcare Providers
- Psychologists and Therapists
- Chiropractors and Physical Therapists
- Audiologists and Hearing Health Providers
- Nursing Homes
- Dentists and Orthodontists
- Pharmacies
- Health Insurance Organizations
- Medicare or Medicaid Offices
- Other Government Assistance Programs
What does HIPAA do?
HIPAA was established in order to protect private healthcare information from ending up in the wrong hands. In order to prevent this, there are guidelines and rules healthcare entities must abide by in order to help prevent the distribution of client social security numbers, contact information, health records, and other data to the wrong parties.
TECHNOLOGY FOR HEALTHCARE PROVIDERS
How can technology prevent HIPAA violations?
Technology can work to prevent HIPAA breaches and violations by using safeguards to prevent personal health information from being accessed. Secure electronic health records management and patient relationship management programs seek to prevent HIPAA violations by providing healthcare entities with technology that offers the following solutions:
Security of Electronic Health Records
Electronic health records management systems can help healthcare entities prevent the release of sensitive data by preventing the opportunity for physical medical files from being stolen or accessed by unauthorized healthcare providers. Electronic health records systems can also be set up to prevent unauthorized users from accessing sensitive information while still having the option to schedule appointments and view contact information.
Administrative Simplification
Electronic health records systems and patient management software allow healthcare providers to safely and securely correspond with patients through patient portals and other safeguards that are less likely to be accessed by malware, identity thieves, and viruses. This also prevents healthcare workers and patients from having to provide personal health information via the phone, email, or fax.
What safeguards does HIPAA require?
In order to protect private healthcare information, HIPAA establishes 3 HIPAA safeguards for healthcare entities to follow. These include administrative, physical, and technical safeguards to establish security measures.
Administrative Safeguards for HIPAA
Administrative safeguards for HIPAA include requiring employees and business associates to sign contracts agreeing to abide by HIPAA rules and regulations, establishing procedures for employee turnover and new employee training, providing on-site training for employees, establishing passcodes and passwords across all technology platforms and programs, and restricting access to patient health information to employees who must use this information for work-related purposes such as the filing of insurance, accounting and billing, etc.
Physical Safeguards for HIPAA
Physical safeguards for HIPAA include restricting access to offices and facilities, preventing unauthorized workspace or computer use, securing workstations and facilities, preventing devices from being used in unauthorized locations such as away from the clinic or facility, and controlling and monitoring all devices on a consistent basis.
Technical Safeguards for HIPAA
Technical safeguards for HIPAA include auditing systems to prevent malware and virus attacks, protecting systems with passcodes and passwords that are routinely updated, or the use of programs to prevent the release of patient information for unauthorized purposes.
LEARN MORE ABOUT SECURE EHR SYSTEMS
What counts as a HIPAA violation?
HIPAA encompasses many different aspects of a patient’s records, and it’s sometimes confusing to know what constitutes a HIPAA violation and what does not. Some violations are more obvious – an employee providing a patient’s social security number or contact information to the wrong party, for example. Others are not so easily controlled but should be considered violations and handled appropriately nonetheless. These include:
- Stolen Laptops, Cell Phones, or Other Equipment
- Technology Malfunctions
- Malware / Viruses
- Office Break-ins and/or Records Theft
- Former Employee Breaches
- Electronic Health Records System Malfunctions
- Failing to Provide Patients with a Notice of Privacy Policies
- Not Securing EHR Systems and Computers with Passcodes
Other examples of HIPAA violation all healthcare employees should be aware of include discussing protected health information outside of the office or discussed private information in the vicinity of other patients.
How do I report a HIPAA breach?
If your practice is aware of any HIPAA violations, you must report them as soon as possible. If a patient submits a complaint, respond as quickly as possible, conduct a thorough investigation to ensure the breach has been secured, correct and mitigate effects through the use of new technology or restricted access, prepare all relevant documentation and information, and determine if a HIPAA breach has indeed occurred. If your organization has violated any HIPAA standard, you must notify the appropriate parties.
Who do I contact after a HIPAA breach or violation?
For breaches involving less than 500 individuals when there is a strong likelihood personal health information will not be used by an unauthorized person, you are required to notify each party in writing within 60 days of the breach or violation. For breaches affecting more than 500 individuals, or in cases in which personal health information has been used illegally, the individuals affected must be notified as well as media outlets and the U.S. Department of Health and Human Services. You must also disclose who made the breach, who had access to the personal health information, and who the information was sent to in addition to information regarding any measures that have been taken to prevent future breaches or the unauthorized use of the information in question.
How do I report a HIPAA violation?
If you believe an organization has violated HIPAA by revealing the sensitive information of you or another individual, you can file a complaint. If you are a patient seeking to report a HIPPA violation, you can do so online through the U.S. Department of Health and Human Services. Complaints can also be submitted through email or fax. To report a HIPAA violation, you will need the following information:
- Name of Organization in Violation
- Address of Organization in Violation
- Your Name
- Your Address
- Your Telephone Number
- Your Email Address (If Available)
- Brief Description of Incident
- Date of Incident
- Other Relevant or Pertinent Information
- Your Signature and Date Signed
Complaints must be filed within 6 months of the violation and must only be considered a violation under the HIPAA act by an entity required by law to comply with the privacy act.