The federal government is setting deadlines for physician practices to make the switch to electronic health records (EHRs) and recently announced plans to begin financially penalizing those practices which do not make this switch to EHRs. Although the final government rules regarding EHRs may be modified, the government has made it clear that financial penalties for not using EHRs will still be used. Because of these trends it is more and more important for health care providers, and other health-related entities, to ensure that they have taken proper steps to protect the privacy of health information that is available through cyberspace.
In order to avoid legal liability for the disclosure of protected health information it is important to understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) security rule.
The HIPPA Security Rule covers individuals’ electronic personal health information (ePHI) that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Under the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 the scope of the HIPAA Security Rule expanded to include Business Associates as being responsible for the security and integrity of ePHI.
By law, HIPAA applies only to “covered entities.” Which include:
However, most health care providers and health plans do not carry out all patient-related functions themselves. Often billing, coding, records transcription services, etc. are completed by third-party entities, referred to as “business associates” under HIPAA. Because of the expansion of the HITECH Act of 2009, business associates must also adhere to the HIPAA security rule. The inclusion of business associates under the HIPAA security rule broadly expands the scope of compliance and may catch many businesses, which are not traditional “health care” businesses by surprise.
While the HIPAA privacy rule protects the privacy of individually identifiable health information, the security rule applies only to individually identifiable health information that a covered entity creates, receives, maintains or transmits in electronic form. This information is referred to as ePHI. However, given the breadth of use of electronic media in the health care sector, the scope of the security rule is immense and will only continue to grow.
Covered entities and business associates must maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. These requirements include:
As part of these requirements, ePHI must not be available or disclosed to unauthorized persons. In addition, ePHI must not be altered or destroyed in an unauthorized manner. Furthermore, ePHI must be accessible and usable on demand by authorized personnel. The HIPAA security rule applies to all covered entities, whether it is a one-person office, or a multi-state hospital system.
For more information on whether your business' EHRs are in compliance with HIPAA, contact the Goosmann Law Firm at info@goosmannlaw.com or (712) 226-4000.