Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Business reasons to get compliant with HIPAA

Rosemarie Nelson
Physician
September 16, 2010
Share
Tweet
Share

In addition to providing those incentive dollars for meaningful use of a certified EHR, the Health Information Technology for Economic and Clinical Health Act (HITECH) significantly strengthened aspects of the HIPAA security rule, including the penalties imposed under HHS and the Office of Civil Rights.

If you are a “Covered Entity” (CE) or “Business Associate” (BA) it’s time to get serious, the deadline to be fully compliant with these final HIPAA rules has now passed.

Remember, HIPAA comprises three sets of standards — transactions and code sets, privacy, and security. The goal was to:

  • Simplify the administration of health insurance claims and lower costs
  • Give individuals more control over and access to their medical information
  • Protect individually identifiable medical information from threats of loss or disclosure

But this is not news! The HIPAA Security Final Rule was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003.

Most covered entities had two full years — until April 21, 2005 — to comply with these standards.

The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.

In general, the HIPAA Security Rule protects electronic patient health information (EPHI) whether it is stored in a computer or printed from a computer.

The Security Rule is comprehensive including 18 regulation standards defining what safeguards to implement and 35 specifications that describe how those standards must be implemented. The documentation requirements for the Security Rule are daunting to say the least.

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!

To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.

The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

What is new? Enter the HITECH Act, called a “game-changer” and “ground-breaking”.

Without a doubt, HITECH requires the largest and most consequential change to the federal privacy and security rules ever.

ADVERTISEMENT

In 15 areas, HITECH brings new federal privacy and security provisions that will have major financial, operational and legal consequences for all medical practices, hospitals, health plans, and their “business associates.”

HHS Secretary Kathleen Sebelius made clear the importance of privacy and security in announcing the “Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH” recently: “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.

Your analysis should include administrative, physical, and technical safeguards as well as organizational requirements and policy and procedure documentation requirements.

Examples of items in your risk assessment are in the following table:

Implementation Specification Assessment Item
Policy and Procedure Recommendation
Technical safeguard Is your Protected Health Information (PHI) data encrypted? Discuss options with your vendor for how best to encrypt patient data. Implement policies to periodically confirm that your encryption processes are up to date.
Physical safeguard Workstation security Develop policies for limiting workstation access during off-hours by unauthorized employees.
Administrative safeguard Termination procedure Document what the practice does to prevent unauthorized access to PHI by former employees.
Technical safeguard Backup and recovery Document your data backup plan, disaster recovery plan, and emergency mode of operations plan.

In addition to plowing through the Final Rule, there are other resources available to help you assess and document your risk analysis, including a whole industry built around HIPAA and HITECH compliance. Here are three websites that offer — for a price — toolkits and training: www.hipaasecurityassessment.com, www.training-hipaa.net, and www.hitechanswers.net.

Aside from the importance of keeping your dealings with your patients confidential, there’s a solid business reason for getting compliant: New penalties for violating HIPAA and HITECH Act security regulations are enormous — up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, and untold damage to your reputation and mine.

Rosemarie Nelson is a principal with the MGMA Health Care Consulting Group.

Originally published in MedPage Today. Visit MedPageToday.com for more practice management news.

Prev

Can scientific knowledge overcome uncontrollable food behavior?

September 16, 2010 Kevin 7
…
Next

Goals when starting medicine and how some have been disillusioned

September 16, 2010 Kevin 7
…

Tagged as: Patients, Primary Care

Post navigation

< Previous Post
Can scientific knowledge overcome uncontrollable food behavior?
Next Post >
Goals when starting medicine and how some have been disillusioned

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

More by Rosemarie Nelson

  • a desk with keyboard and ipad with the kevinmd logo

    Increase patient and provider satisfaction by reducing phone messages

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    How to improve patient engagement

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    What’s your plan for the transition to ICD-10?

    Rosemarie Nelson

More in Physician

  • The man in seat 11A survived, but why don’t our patients?

    Dr. Vivek Podder
  • When did we start treating our lives like trauma?

    Maureen Gibbons, MD
  • Medicalizing burnout misses the real problem

    Jessie Mahoney, MD
  • Why some doctors age gracefully—and others grow bitter

    Patrick Hudson, MD
  • The hidden incentives driving frivolous malpractice lawsuits

    Howard Smith, MD
  • Mastering medical presentations: Elevating your impact

    Harvey Castro, MD, MBA
  • Most Popular

  • Past Week

    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Key strategies for smooth EHR transitions in health care

      Sandra Johnson | Tech
    • Reassessing the impact of CDC’s opioid guidelines on chronic pain care [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • “Think twice, heal once”: Why medical decision-making needs a second opinion from your slower brain (and AI)

      Harvey Castro, MD, MBA | Tech
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
    • Bureaucracy over care: How the U.S. health care system lost its way

      Kayvan Haddadan, MD | Physician
  • Recent Posts

    • The man in seat 11A survived, but why don’t our patients?

      Dr. Vivek Podder | Physician
    • Why gambling addiction is America’s next health crisis

      Safina Adatia, MD | Conditions
    • When did we start treating our lives like trauma?

      Maureen Gibbons, MD | Physician
    • How robotics are reshaping the future of vascular procedures

      David Fischel | Conditions
    • Medicalizing burnout misses the real problem

      Jessie Mahoney, MD | Physician
    • How the shingles vaccine could help prevent dementia

      Marc Arginteanu, MD | Conditions

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Key strategies for smooth EHR transitions in health care

      Sandra Johnson | Tech
    • Reassessing the impact of CDC’s opioid guidelines on chronic pain care [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • “Think twice, heal once”: Why medical decision-making needs a second opinion from your slower brain (and AI)

      Harvey Castro, MD, MBA | Tech
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
    • Bureaucracy over care: How the U.S. health care system lost its way

      Kayvan Haddadan, MD | Physician
  • Recent Posts

    • The man in seat 11A survived, but why don’t our patients?

      Dr. Vivek Podder | Physician
    • Why gambling addiction is America’s next health crisis

      Safina Adatia, MD | Conditions
    • When did we start treating our lives like trauma?

      Maureen Gibbons, MD | Physician
    • How robotics are reshaping the future of vascular procedures

      David Fischel | Conditions
    • Medicalizing burnout misses the real problem

      Jessie Mahoney, MD | Physician
    • How the shingles vaccine could help prevent dementia

      Marc Arginteanu, MD | Conditions

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...