Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Business reasons to get compliant with HIPAA

Rosemarie Nelson
Physician
September 16, 2010
29 Shares
Share
Tweet
Share

In addition to providing those incentive dollars for meaningful use of a certified EHR, the Health Information Technology for Economic and Clinical Health Act (HITECH) significantly strengthened aspects of the HIPAA security rule, including the penalties imposed under HHS and the Office of Civil Rights.

If you are a “Covered Entity” (CE) or “Business Associate” (BA) it’s time to get serious, the deadline to be fully compliant with these final HIPAA rules has now passed.

Remember, HIPAA comprises three sets of standards — transactions and code sets, privacy, and security. The goal was to:

  • Simplify the administration of health insurance claims and lower costs
  • Give individuals more control over and access to their medical information
  • Protect individually identifiable medical information from threats of loss or disclosure

But this is not news! The HIPAA Security Final Rule was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003.

Most covered entities had two full years — until April 21, 2005 — to comply with these standards.

The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.

In general, the HIPAA Security Rule protects electronic patient health information (EPHI) whether it is stored in a computer or printed from a computer.

The Security Rule is comprehensive including 18 regulation standards defining what safeguards to implement and 35 specifications that describe how those standards must be implemented. The documentation requirements for the Security Rule are daunting to say the least.

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!

To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.

The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

What is new? Enter the HITECH Act, called a “game-changer” and “ground-breaking”.

Without a doubt, HITECH requires the largest and most consequential change to the federal privacy and security rules ever.

In 15 areas, HITECH brings new federal privacy and security provisions that will have major financial, operational and legal consequences for all medical practices, hospitals, health plans, and their “business associates.”

HHS Secretary Kathleen Sebelius made clear the importance of privacy and security in announcing the “Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH” recently: “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.

Your analysis should include administrative, physical, and technical safeguards as well as organizational requirements and policy and procedure documentation requirements.

Examples of items in your risk assessment are in the following table:

Implementation Specification Assessment Item
Policy and Procedure Recommendation
Technical safeguard Is your Protected Health Information (PHI) data encrypted? Discuss options with your vendor for how best to encrypt patient data. Implement policies to periodically confirm that your encryption processes are up to date.
Physical safeguard Workstation security Develop policies for limiting workstation access during off-hours by unauthorized employees.
Administrative safeguard Termination procedure Document what the practice does to prevent unauthorized access to PHI by former employees.
Technical safeguard Backup and recovery Document your data backup plan, disaster recovery plan, and emergency mode of operations plan.

In addition to plowing through the Final Rule, there are other resources available to help you assess and document your risk analysis, including a whole industry built around HIPAA and HITECH compliance. Here are three websites that offer — for a price — toolkits and training: www.hipaasecurityassessment.com, www.training-hipaa.net, and www.hitechanswers.net.

Aside from the importance of keeping your dealings with your patients confidential, there’s a solid business reason for getting compliant: New penalties for violating HIPAA and HITECH Act security regulations are enormous — up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, and untold damage to your reputation and mine.

Rosemarie Nelson is a principal with the MGMA Health Care Consulting Group.

Originally published in MedPage Today. Visit MedPageToday.com for more practice management news.

Prev

Can scientific knowledge overcome uncontrollable food behavior?

September 16, 2010 Kevin 7
…
Next

Goals when starting medicine and how some have been disillusioned

September 16, 2010 Kevin 7
…

Tagged as: Patients, Primary Care

Post navigation

< Previous Post
Can scientific knowledge overcome uncontrollable food behavior?
Next Post >
Goals when starting medicine and how some have been disillusioned

More by Rosemarie Nelson

  • a desk with keyboard and ipad with the kevinmd logo

    Increase patient and provider satisfaction by reducing phone messages

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    How to improve patient engagement

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    What’s your plan for the transition to ICD-10?

    Rosemarie Nelson

More in Physician

  • Skydiving and surgery: How one doctor translates high-stress training to saving lives

    Alexandra Kharazi, MD
  • Don’t be caught off guard: Read your malpractice policy today

    Aaron Morgenstein, MD & Laura Fortner, MD
  • The dark side of medicine: an urgent call to action against greed

    Don Gaede, MD
  • Dr. Glaucomflecken for president!

    Aaron Morgenstein, MD & Amy Bissada, DO & Corinne Sundar Rao, MD
  • What is driving physicians to the edge of despair?

    Edward T. Creagan, MD
  • Do residents deserve the title of physician?

    Anonymous
  • Most Popular

  • Past Week

    • The real cause of America’s opioid crisis: Doctors are not to blame

      Richard A. Lawhern, PhD | Meds
    • Healing the damaged nurse-physician dynamic

      Angel J. Mena, MD and Ali Morin, MSN, RN | Policy
    • The struggle to fill emergency medicine residency spots: Exploring the factors behind the unfilled match

      Katrina Gipson, MD, MPH | Physician
    • What is driving physicians to the edge of despair?

      Edward T. Creagan, MD | Physician
    • Deaths of despair: an urgent call for a collective response to the crisis in U.S. life expectancy

      Mohammed Umer Waris, MD | Policy
    • Beyond the disease: the power of empathy in health care

      Nana Dadzie Ghansah, MD | Physician
  • Past 6 Months

    • The hidden dangers of the Nebraska Heartbeat Act

      Meghan Sheehan, MD | Policy
    • The real cause of America’s opioid crisis: Doctors are not to blame

      Richard A. Lawhern, PhD | Meds
    • The vital importance of climate change education in medical schools

      Helen Kim, MD | Policy
    • The fight for reproductive health: Why medication abortion matters

      Catherine Hennessey, MD | Physician
    • Nobody wants this job. Should physicians stick around?

      Katie Klingberg, MD | Physician
    • Resetting the doctor-patient relationship: Navigating the challenges of modern primary care

      Jeffrey H. Millstein, MD | Physician
  • Recent Posts

    • The endless waves of chronic illness

      Michele Luckenbaugh | Conditions
    • Skydiving and surgery: How one doctor translates high-stress training to saving lives

      Alexandra Kharazi, MD | Physician
    • Telemedicine in the opioid crisis: a game-changer threatened by DEA regulations

      Julie Craig, MD | Meds
    • How this doctor found her passion in ballroom dancing [PODCAST]

      The Podcast by KevinMD | Podcast
    • Surviving and thriving after life’s most difficult moments

      Rebecca Fogg, MBA | Conditions
    • Don’t be caught off guard: Read your malpractice policy today

      Aaron Morgenstein, MD & Laura Fortner, MD | Physician

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

CME Spotlights

From MedPage Today

Latest News

  • Make the Diagnosis: This Bump on His Nose is a Tricky Diagnosis
  • CRT Regimen Boosts Complete Response Rate in Unresectable Vulvar Cancer
  • Fla. Doc Charged With Murder; McConnell Exits Rehab Facility; BPA on Store Receipts
  • FDA Faults Next-Gen Olympus Duodenoscopes
  • CDK4/6 Inhibition Active in Recurrent Low-Grade Serous Ovarian Cancer

Meeting Coverage

  • CRT Regimen Boosts Complete Response Rate in Unresectable Vulvar Cancer
  • CDK4/6 Inhibition Active in Recurrent Low-Grade Serous Ovarian Cancer
  • Switch to IL-23 Blocker Yields Deep Responses in Recalcitrant Plaque Psoriasis
  • Biomarkers of Response With Enfortumab Vedotin in Advanced Urothelial Cancer
  • At-Home Topical Therapy for Molluscum Contagiosum Gets High Marks
  • Most Popular

  • Past Week

    • The real cause of America’s opioid crisis: Doctors are not to blame

      Richard A. Lawhern, PhD | Meds
    • Healing the damaged nurse-physician dynamic

      Angel J. Mena, MD and Ali Morin, MSN, RN | Policy
    • The struggle to fill emergency medicine residency spots: Exploring the factors behind the unfilled match

      Katrina Gipson, MD, MPH | Physician
    • What is driving physicians to the edge of despair?

      Edward T. Creagan, MD | Physician
    • Deaths of despair: an urgent call for a collective response to the crisis in U.S. life expectancy

      Mohammed Umer Waris, MD | Policy
    • Beyond the disease: the power of empathy in health care

      Nana Dadzie Ghansah, MD | Physician
  • Past 6 Months

    • The hidden dangers of the Nebraska Heartbeat Act

      Meghan Sheehan, MD | Policy
    • The real cause of America’s opioid crisis: Doctors are not to blame

      Richard A. Lawhern, PhD | Meds
    • The vital importance of climate change education in medical schools

      Helen Kim, MD | Policy
    • The fight for reproductive health: Why medication abortion matters

      Catherine Hennessey, MD | Physician
    • Nobody wants this job. Should physicians stick around?

      Katie Klingberg, MD | Physician
    • Resetting the doctor-patient relationship: Navigating the challenges of modern primary care

      Jeffrey H. Millstein, MD | Physician
  • Recent Posts

    • The endless waves of chronic illness

      Michele Luckenbaugh | Conditions
    • Skydiving and surgery: How one doctor translates high-stress training to saving lives

      Alexandra Kharazi, MD | Physician
    • Telemedicine in the opioid crisis: a game-changer threatened by DEA regulations

      Julie Craig, MD | Meds
    • How this doctor found her passion in ballroom dancing [PODCAST]

      The Podcast by KevinMD | Podcast
    • Surviving and thriving after life’s most difficult moments

      Rebecca Fogg, MBA | Conditions
    • Don’t be caught off guard: Read your malpractice policy today

      Aaron Morgenstein, MD & Laura Fortner, MD | Physician

MedPage Today Professional

An Everyday Health Property Medpage Today iMedicalApps
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...