Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Business reasons to get compliant with HIPAA

Rosemarie Nelson
Physician
September 16, 2010
Share
Tweet
Share

In addition to providing those incentive dollars for meaningful use of a certified EHR, the Health Information Technology for Economic and Clinical Health Act (HITECH) significantly strengthened aspects of the HIPAA security rule, including the penalties imposed under HHS and the Office of Civil Rights.

If you are a “Covered Entity” (CE) or “Business Associate” (BA) it’s time to get serious, the deadline to be fully compliant with these final HIPAA rules has now passed.

Remember, HIPAA comprises three sets of standards — transactions and code sets, privacy, and security. The goal was to:

  • Simplify the administration of health insurance claims and lower costs
  • Give individuals more control over and access to their medical information
  • Protect individually identifiable medical information from threats of loss or disclosure

But this is not news! The HIPAA Security Final Rule was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003.

Most covered entities had two full years — until April 21, 2005 — to comply with these standards.

The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.

In general, the HIPAA Security Rule protects electronic patient health information (EPHI) whether it is stored in a computer or printed from a computer.

The Security Rule is comprehensive including 18 regulation standards defining what safeguards to implement and 35 specifications that describe how those standards must be implemented. The documentation requirements for the Security Rule are daunting to say the least.

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!

To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.

The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

What is new? Enter the HITECH Act, called a “game-changer” and “ground-breaking”.

Without a doubt, HITECH requires the largest and most consequential change to the federal privacy and security rules ever.

ADVERTISEMENT

In 15 areas, HITECH brings new federal privacy and security provisions that will have major financial, operational and legal consequences for all medical practices, hospitals, health plans, and their “business associates.”

HHS Secretary Kathleen Sebelius made clear the importance of privacy and security in announcing the “Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH” recently: “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.

Your analysis should include administrative, physical, and technical safeguards as well as organizational requirements and policy and procedure documentation requirements.

Examples of items in your risk assessment are in the following table:

Implementation Specification Assessment Item
Policy and Procedure Recommendation
Technical safeguard Is your Protected Health Information (PHI) data encrypted? Discuss options with your vendor for how best to encrypt patient data. Implement policies to periodically confirm that your encryption processes are up to date.
Physical safeguard Workstation security Develop policies for limiting workstation access during off-hours by unauthorized employees.
Administrative safeguard Termination procedure Document what the practice does to prevent unauthorized access to PHI by former employees.
Technical safeguard Backup and recovery Document your data backup plan, disaster recovery plan, and emergency mode of operations plan.

In addition to plowing through the Final Rule, there are other resources available to help you assess and document your risk analysis, including a whole industry built around HIPAA and HITECH compliance. Here are three websites that offer — for a price — toolkits and training: www.hipaasecurityassessment.com, www.training-hipaa.net, and www.hitechanswers.net.

Aside from the importance of keeping your dealings with your patients confidential, there’s a solid business reason for getting compliant: New penalties for violating HIPAA and HITECH Act security regulations are enormous — up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, and untold damage to your reputation and mine.

Rosemarie Nelson is a principal with the MGMA Health Care Consulting Group.

Originally published in MedPage Today. Visit MedPageToday.com for more practice management news.

Prev

Can scientific knowledge overcome uncontrollable food behavior?

September 16, 2010 Kevin 7
…
Next

Goals when starting medicine and how some have been disillusioned

September 16, 2010 Kevin 7
…

Tagged as: Patients, Primary Care

Post navigation

< Previous Post
Can scientific knowledge overcome uncontrollable food behavior?
Next Post >
Goals when starting medicine and how some have been disillusioned

ADVERTISEMENT

More by Rosemarie Nelson

  • a desk with keyboard and ipad with the kevinmd logo

    Increase patient and provider satisfaction by reducing phone messages

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    How to improve patient engagement

    Rosemarie Nelson
  • a desk with keyboard and ipad with the kevinmd logo

    What’s your plan for the transition to ICD-10?

    Rosemarie Nelson

More in Physician

  • Why Canada is losing its skilled immigrant doctors

    Olumuyiwa Bamgbade, MD
  • Why doctors are reclaiming control from burnout culture

    Maureen Gibbons, MD
  • Why screening for diseases you might have can backfire

    Andy Lazris, MD and Alan Roth, DO
  • Why “do no harm” might be harming modern medicine

    Sabooh S. Mubbashar, MD
  • International doctors blocked by visa delays as U.S. faces physician shortage

    Arthur Lazarus, MD, MBA
  • How I redesigned my life as a physician without abandoning medicine

    Ben Reinking, MD
  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How community paramedicine impacts Indigenous elders

      Noah Weinberg | Conditions
    • Why Canada is losing its skilled immigrant doctors

      Olumuyiwa Bamgbade, MD | Physician
    • How to speak the language of leadership to improve doctor wellness [PODCAST]

      The Podcast by KevinMD | Podcast
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • How medical culture hides burnout in plain sight

      Marco Benítez | Conditions
  • Recent Posts

    • Why Canada is losing its skilled immigrant doctors

      Olumuyiwa Bamgbade, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Would The Pitts’ Dr. Robby Robinavitch welcome a new colleague? Yes. Especially if their initials were AI.

      Gabe Jones, MBA | Tech
    • Why medicine must stop worshipping burnout and start valuing humanity

      Sarah White, APRN | Conditions
    • Why screening for diseases you might have can backfire

      Andy Lazris, MD and Alan Roth, DO | Physician
    • How organizational culture drives top talent away [PODCAST]

      The Podcast by KevinMD | Podcast

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • How community paramedicine impacts Indigenous elders

      Noah Weinberg | Conditions
    • Why Canada is losing its skilled immigrant doctors

      Olumuyiwa Bamgbade, MD | Physician
    • How to speak the language of leadership to improve doctor wellness [PODCAST]

      The Podcast by KevinMD | Podcast
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • How medical culture hides burnout in plain sight

      Marco Benítez | Conditions
  • Recent Posts

    • Why Canada is losing its skilled immigrant doctors

      Olumuyiwa Bamgbade, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • Would The Pitts’ Dr. Robby Robinavitch welcome a new colleague? Yes. Especially if their initials were AI.

      Gabe Jones, MBA | Tech
    • Why medicine must stop worshipping burnout and start valuing humanity

      Sarah White, APRN | Conditions
    • Why screening for diseases you might have can backfire

      Andy Lazris, MD and Alan Roth, DO | Physician
    • How organizational culture drives top talent away [PODCAST]

      The Podcast by KevinMD | Podcast

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...