HIPAA in a “nutshell”
There are two HIPAA rules requirements; privacy (2003) and security (2005). Both rules require:
-Identifying possible threats,
-Assessing specific vulnerabilities,
-Determining appropriate and reasonable safeguards and
-Implementing the necessary defense mechanisms and policies.
Using an EMR (electronic medical record) has no absolute right and wrongs in either computer equipment or software for HIPAA compliance. Usually there are four areas to examine:
-Physical Security – can your computers with patient data be stolen?
-User Security – can anybody log on to the patient database?
-System Security – what happens on a hard drive crash?
-Network Security – can unauthorized persons outside your facility access patient data?
Using paper medical records begs similar questions:
-Physical Security – how secure are the files from fire and theft?
-User Security – what access controls and logging is there?
-System Security – what happens in a fire or flood?
-Storage Access – are the files in a locked, secure area?
There are HIPAA penalties
The civil monetary penalty is up to $100 per person record per violation and up to $25,000 per year total for the same type of violation. There is 30 days to correct the problem if it is not through willful neglect.
The criminal penalties are for “misuse” and for obtaining or using health information by “false pretenses” or with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. These penalties are up to $250,000 and five years in jail.
Currently there is no real effective enforcement body.
HIPAA compliance “thumb rules”
With an EMR most of the requirements are common sense and providers do not need to be overly concerned but do require some basic steps like:
-Put your computer server in a secure room, locked,
-Use an EMR with user management and permissions,
-Make regular back-ups and store them in a secure place and
-Employ a computer specialist.
Most medical practices and clinics using paper records need to make physical changes to be HIPPA compliant. If you continue to use paper then there are a myriad of physical complexities to consider:
-How to monitor staff access,
-Fire and flood protection (insurance is not enough)
-A disaster plan (that has been documented and practiced.)
Finally, if there is a legal case brought forward a provider to protect themselves should have a trail of how the patient’s individual information was accessed. For paper records this means at a minimum a monitored sign out sheet and for an EMR user logging of patient file access.