The Health Insurance Portability and Accountability Act (HIPAA) is something we all know a bit about, but have you evaluated your healthcare organization to make sure you are reaching each of the guidelines? Consequences of violating HIPAA can include monetary and legal, $100-$50,000 or more plus 1 year in prison per violation. Sometimes it can become a criminal violation with up to 1-10 years in prison and $250,000 fine per violation.
The US Department of Health and Human Services (HHS) published the HIPAA Security Rule, which established a national set of security standards for electronic Protect Health Information (PHI, e-PHI), along with the HIPAA Privacy Rule. It’s a great idea to refresh your memory and keep this rule top of mind.
HIPAA Security Rule
There is a very important section in the Security Rule, titled “Risk Analysis and Management.” HHS.gov has defined this as:
A risk analysis process includes, but is not limited to, the following activities:
– Evaluate the likelihood and impact of potential risks to e-PHI,
– Implement appropriate security measures to address the risks identified in the risk analysis,
– Document the chosen security measures and, where required, the rationale for adopting those measures, and
– Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process.
The rule also breaks this into three sections:
– Administrative Safeguards
– Physical Safeguards
– Technical Safeguards
Where a lot of companies may be in violation falls within the Administrative Safeguards.
Information Access Management
HHS.gov defines this as, “Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).” This means, your printers and copiers are within work-stations or behind locked doors, away from where just anyone off the street can walk up and grab documents. However, the Information Access Management section goes way beyond keeping information safe from the public. Here’s a quick example.
Let’s say we all work in a hospital together. A general employee, let’s say – in marketing – can walk the grounds freely. People know that person and they have friends at the nurse’s station. While this person waits for a friend to show up, a fax comes in and the general employee takes a peek. Although this person is an employee, they do NOT have authorization and the hospital did not follow the Security Rule. An employee is not authorized to see information that does not pertain to their specific role. This is a violation.
The full description of Data Safeguard in The HHS Summary of the HIPAA Privacy Rule is: “A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
While its never anyone’s intention to openly violate these rules, as you can see, it is very easy to do and sometimes not obvious. Data privacy and safeguarding are important topics and ones your healthcare organization should discuss with your leadership team and compliance department to make sure all staff is up to date with the rules to mitigate potential violations.