As part of its Administrative Simplification section, HIPAA includes many requirements for managing and protecting “individually identifiable protected health information”. Such information refers to any physical or mental health information, as well as demographic, provisional, financial, or conditional information that can reasonably identify – or be identified with – a specific individual (as defined in section 1171(6) of the Social Security Act).
The HIPAA regulations, including the preamble, together with the Privacy and the Administrative Simplification Act run a staggering 1500 pages. “Administrative Simplification” at it’s finest!
Maintaining privacy of medical records is now a legal requirement. All health care providers, and any individuals who come into contact with protected health information must comply or be subject to legal prosecution and/or civil litigation from patients or individuals affected from the unauthorized release or distribution of their protected health information.
However, ensuring that patient information is kept private and secure presents a technological challenge for all individual healthcare specialists, small professional groups, and medium size and larger organizations.
The need for privacy and information security is an essential requirement of HIPAA. Solid data security and protection against improper access and use of private information is a strict equirement.
Why does health information need secure access? Doctors, nurses, laboratories, chiropractors, optomitrists, massuses, hospital personnel, insurance agents, answering services and every other person in the healthcare industry can provide more efficient care to patients by accessing health information and ensuring that it’s correct.
Pharmacists can easily avoid prescribing conflicting medications; doctors can perhaps make faster diagnoses or prescribe minor treatment from a remote location. But medical records often contain information that individuals would like to keep secret from others.
A woman may not want her employer to know that she’s undergoing fertility treatments. A patient may not want anyone to know how many HIV tests he or she has had. Sometimes this information can simply be embarrassing; sometimes it can affect job status; sometimes it’s simply patient preference.
This much is for sure… HIPAA makes this very clear:
Individuals and organizations that maintain or transmit health information must “establish and maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity, confidentiality and availability of the information.” Health care individuals, organizations and any other entities that come into view of another person’s health information or records must provide secure access.
HIPAA does not mention specific technologies that must be used. As a result, compliance methodolgies will vary from provider to provider, and from discipline to discipline.
The HIPAA regulations and guidelines generally follow the lead of the Privacy Act of 1974, stating that individuals must maintain confidence that their information is kept secure. As HIPAA clearly states, all health care providers are responsible for establishing and maintaining secure access to patient information!
Strict penalties can be levied on providers who fail to comply, from $100-per-incident fines for minor offenses to ten years in jail and a $250,000 fine for major offenses.