With the recent announcement of a second major retailer’s credit and debit card security breach in the past 12 months, we can’t help but go on heightened alert when it comes to data protection. Financial transactions are certainly of concern for physicians and medical centers. However, the privacy and security of individually identifiable health information as dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) takes center stage.
HIPAA places stringent requirements on all covered entities. To comply, your practice must:
- Ensure the confidentiality, integrity, and availability of all protected health information (PHI) your practice creates, receives, maintains or transmits;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by your entire staff.
Security measures will vary based on each entity’s size, complexity, technical infrastructure (hardware, software, communications network), costs of compliance, and likelihood and impact of potential threats. A periodic risk assessment by an experienced data security professional can help you define reasonable and appropriate security measures and keep you apprised of new threats and concerns.
Someone in your practice or center should be designated as your security official and assume responsibility for developing and maintaining security policies and procedures. These policies and procedures – and all changes thereto – must be communicated to all staff members on a timely basis such that they are clear on their duties and responsibilities.
In addition to restrictions on physical access, you’ll need to develop technical policies and procedures regarding PHI. Such policies and procedures must include, but are not limited to:
- Access controls to electronic PHI
- Audit controls to record and examine activity related to electronic PHI
- Integrity controls to ensure that electronic records have not been altered improperly or destroyed
- Transmission security to ward off unauthorized access via data communications networks
You must act swiftly to address any errors or omissions in your security provisions and remedy any potential or known breach. HIPAA requires covered entities to report data breaches to the affected individuals, the U.S. Department of Health and Human Services, and, in some cases, the media.
In summary, HIPAA compliance is serious business with enough complexity, cost, and exposure to risk to warrant serious attention and professional support. Contact us if you would like our expert advice to help you chart the path forward.