HIPAA Compliance Is Much More than Software

Increasingly, the feet of hospitals and other healthcare organizations are being held to the fire when it comes to complying with both HIPAA and HITECH mandates.

HIPAA (Health Insurance Portability and Accountability Act) was a law originally passed in 1996 that mandates patient data of all kinds should always be protected and kept private – particularly electronic patient information (known as ePHI). HITECH (Health Information Technology for Economic and Clinical Health Act) was the law passed 13 years later that seeks to hasten the use of electronic health records in the United States (as opposed to having hard-copy records).

Over the last decade, getting healthcare entities to “get on board” with all the aspects of HIPAA has been difficult. Often, there’s not a clear understanding of what steps need to be taken for becoming HIPAA compliant or who is actually accountable if a violation occurs.

Hungate Business Services (HBS) currently works with several healthcare organizations – providing equipment, software and IT management services. But it’s important to understand that simply using our services and applying the software we recommend won’t make you HIPAA compliant. That process demands careful attention by the healthcare entity itself and a step-by-step approach. Even we, as your IT manager, must sign a “business associate” contract, promising to adhere to the same security policies and standards as you, the healthcare facility.

While many aspects of HIPAA compliance may seem tedious, it’s extremely important to do everything possible to protect patient information. The HIPAA Security Rule requires administrative, physical, and technical safeguards for protecting ePHI.

If you don’t, and a breach occurs, the consequences can be costly. A violation of HIPAA Rules constituting willful neglect, where no attempt was made to correct the situation, carries a penalty of $50,000 per violation. The dollar amount of the penalty is based on a number of “general factors” and the seriousness of each violation. Ignorance of HIPAA Rules is no excuse.

One of the most recent breach examples took place in 2012 and involved Feinstein Institute for Medical Research in Manhasset, New York. The incident occurred when a laptop computer containing the electronic protected health information (ePHI) of about 13,000 patients and research participants was stolen from an employee’s car. The files contained all types of information about the research participants, including birth dates, addresses, social security numbers, diagnoses and so on.

The incident was reported, and the U.S. Department of Health and Human Services’ Office for Civil Rights, recently announced (March 2016) that Feinstein would have to pay $3.9 million to settle potential HIPAA violations. Some of the security lapses cited included not having policies and procedures for authorizing access to ePHI by employees, not having safeguards restricting access by unauthorized users, and not having a way of regulating receipt and removal of laptops (containing ePHI) into and out of its facilities.

Clearly, not paying attention to specific IT security details has the potential to make or break a successful healthcare business. Our best advice is to err on the side of caution. We can assist you by offering our best IT expertise related to optimizing security and anti-virus software. We can even guide you to the best types of software for facilitating HIPAA compliance. But actually becoming compliant and meeting all the 169 requirements that would be contained in a HIPAA audit is really up to the individual healthcare facility.

To learn more about HBS’ IT management services, equipment and software, call 276-243-4026 or email our help desk at info@hbsx.com.

For a great overview of what the HIPAA requirements are and how to implement them, go to the “HIPAA Security Rule Toolkit” provided by the National Institute of Standards and Technology Information Technology Laboratory.