HIPAA in a “nutshell”
There are two HIPAA regulatory requirements; privacy (2003) and safety (2005). Both rules require
-Identifying potential threat,
-Assessing specific vulnerabilities,
-Determining appropriate and reasonable security measures and
-Implementing necessary protection methods and policies.
Use of EMR (Electronic Medical Record) is not absolutely right and wrong in either computer equipment or software for HIPAA compliance. Usually there are four areas to investigate 😕
-Physical Security – can computers with patient data stolen
-User Security – anyone can log on to a patient with
[?19459002] -System Security – what happens on a hard drive crash
-Network Security – can unauthorized outside access to certain patient data
Using paper medical records raises similar questions:
-Physical Security – How secure are the files from fire and theft
-User Security -? what access controls and logging it
-System Security – what happens in fires and floods
-Storage Access -? files in a locked, secure area
There are HIPAA penalties
civil monetary penalty of up to $ 100 per person record the violation and up to $ 25,000 per year total for the same type of infringement. It is 30 days to correct the problem if it is not through deliberate neglect.
The criminal penalties are for “abuse” and to get health or use of “false flag” or for the purpose of selling, transferring or using it for commercial advantage, selfish gain or malicious harm. The penalties are up to $ 250,000 and five years in prison.
Now there is no real effective enforcement bodies.
HIPAA Compliance “thumb rules”
With EMR most requirements are common sense and provide need not be too worried but need some basic steps like
-Put computer servers in a secure room, locked,
-Use EMR with user management and authorization
-Make regular backups and store them in a safe place and
-Employ a computer expert.
Most medical practices and animal with paper records need to make old age a HIPPA compliant. If you continue to use paper, there are a myriad of physical complexity to consider
How to monitor staff access,
-Fire and flood protection (insurance is not enough)
-A disaster plan (which has been registered and practiced.)
Finally, if there is a legal case brought forward in place to protect themselves should have a path how individual patient information was accessed. For paper records means that a minimum follow signs out sheet for EMR user logging patient record access.