| HIPAA in a “nutshell” | | | | The criminal penalties are for |
| There are two HIPAA rules requirements; privacy | | | | “misuse” and for obtaining or using |
| (2003) and security (2005). Both rules require: | | | | health information by “false |
| -Identifying possible threats, | | | | pretenses” or with the intent to sell, |
| -Assessing specific vulnerabilities, | | | | transfer or use it for commercial advantage, |
| -Determining appropriate and reasonable | | | | personal gain or malicious harm. These penalties |
| safeguards and | | | | are up to $250,000 and five years in jail. |
| -Implementing the necessary defense | | | | Currently there is no real effective enforcement |
| mechanisms and policies. | | | | body. |
| Using an EMR (electronic medical record) has no | | | | HIPAA compliance "thumb rules" |
| absolute right and wrongs in either computer | | | | With an EMR most of the requirements are |
| equipment or software for HIPAA compliance. | | | | common sense and providers do not need to be |
| Usually there are four areas to examine: | | | | overly concerned but do require some basic steps |
| -Physical Security – can your computers | | | | like: |
| with patient data be stolen? | | | | -Put your computer server in a secure room, |
| -User Security - can anybody log on to the | | | | locked, |
| patient database? | | | | -Use an EMR with user management and |
| -System Security – what happens on a | | | | permissions, |
| hard drive crash? | | | | -Make regular back-ups and store them in a |
| -Network Security – can unauthorized | | | | secure place and |
| persons outside your facility access patient data? | | | | -Employ a computer specialist. |
| Using paper medical records begs similar questions: | | | | Most medical practices and clinics using paper |
| -Physical Security – how secure are the | | | | records need to make physical changes to be |
| files from fire and theft? | | | | HIPPA compliant. If you continue to use paper |
| -User Security - what access controls and logging | | | | then there are a myriad of physical complexities |
| is there? | | | | to consider: |
| -System Security – what happens in a fire | | | | -How to monitor staff access, |
| or flood? | | | | -Fire and flood protection (insurance is not enough) |
| -Storage Access – are the files in a locked, | | | | -A disaster plan (that has been documented and |
| secure area? | | | | practiced.) |
| There are HIPAA penalties | | | | Finally, if there is a legal case brought forward a |
| The civil monetary penalty is up to $100 per | | | | provider to protect themselves should have a trail |
| person record per violation and up to $25,000 per | | | | of how the patient's individual information was |
| year total for the same type of violation. There is | | | | accessed. For paper records this means at a |
| 30 days to correct the problem if it is not through | | | | minimum a monitored sign out sheet and for an |
| willful neglect. | | | | EMR user logging of patient file access. |