By M BRETT JAFFEE
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that protects the privacy and security of patient's health information in all formats. In addition to HIPAA, state and local laws will also protect this Patient Health Information (PHI). HIPAA has both privacy rule and security rule to cover patient PHI. Any entity that creates, collects, process and transmits patient's PHI is required to protect privacy and security of the information. Privacy rule applies to PHI in any form such as paper, electronic etc. Security rule applies to electronic PHI. (ePHI) Security corresponds to physical security to the area where the ePHI is stored, access to this information, protecting while storing and transmitting through proper encryption.
Covered entities, such as Health Plans, health care providers, business associates and health care clearing houses, are required to implement the HIPAA Privacy, Security and Breach Notification Rules in their health care practice.
The Office of the National Coordinator for Health and Human Services (HHS) Office for Civil Rights (OCR), created the "Guide to Privacy and Security of Electronic Health information" to help covered entities implement and protect PHI.
Covered entities have a responsibility to protect patient's right including provide Notice of Privacy Practice, respond to Patient's requests for access, amendment, accounting disclosure, restrictions on uses and disclosure and confidentiality of communication of their PHI. A patient's ePHI is likely to reside on different systems within a practice including laptops, desktops, tablets, cloud, etc. and health care providers are required to provide Cybersecurity to protect this information.
Bottom Line: This is not a choice. This is what HIPAA demands! So now, in an environment where data is hacked and seized multiple times a day across the country, Health Care offices need to comply and fast.
Step One - Risk Assessment. HIPAA actually requires covered entities and their partners to conduct risk assessment on their organizations. (spoiler alert: They don't) Risk Assessment reveals the weaknesses in the organization's vulnerabilities in the protection of PHI.
There are even free downloadable tools developed by the Office of National Coordinator and HHS for performing risk assessment. The SRA tool can be downloaded at:
https://www.healthit.gov/topic/privacy-security-and-hipaa/privacy-security-resources-tools
This tool can help healthcare providers conduct the required security risk assessment. It is an easy tool and all information entered is stored on providers local system with nothing being transmitted to outside entities. The results are even printed into a report.
The tool will check how your practice meets the HIPAA regulation. Addressing security policies, workforce, data, the practice, and associates.
This comprehensive free tool is the perfect start for every healthcare organization. The practice of burying our heads in the sand is no longer a viable solution. The risk to the practice is now too severe. Organizations can be brought to their knees by hackers and ransomware and suffer a far greater consequence if it comes to light after the organization didn't properly prepare, handle or notify regarding security breaches. Hospitals and any large organization are now paying ransoms because it's a cheaper more efficient solution than refusing to pay. That should put every healthcare office in the country on notice. They are next. If the hospital has decided it's less expensive to pay the ransom and be able to resume business as usual, then that philosophy will likely apply to the smaller health care offices as well.
However, I assure you, it is incredibly less costly to prepare. And preparing ensures your compliance with HIPAA.
Preparing reduces your organization's vulnerabilities. Preparing protects your patients. Preparing protects your employees. Preparing protects you and the tools you need to begin are free.
Yet all over America, health care providers are NOT preparing. They are not taking the simple first steps to protect their organizations and be HIPAA compliant... Steps they are actually required to make. The days of burying your head in the sand are over. This has now become a game of Russian roulette with 5 bullets in the chamber. The alarm is sounding, not only from the bad guys, but the good guys too.
Organizations MUST take all the steps necessary to protect their PHI and if they don't, they are NOT HIPAA compliant. AND, they are vulnerable.
Brett Jaffee is VP of Sales for NSG and has over 25 years of experience selling and marketing primarily to Fortune 1000 companies.?
After successful stints at HearFromMe.com and WelltalityHealth.com, where Brett was responsible for HIPAA and Data Compliance systems, Brett has brought his experience and protocols to NSG. Visit www.nsgi-hq.com ?