The United States government puts strong security and privacy requirements on personal health data. These requirements come from the HIPAA act and its revisions in the HITECH act. Any covered entity that loses data due to non-compliance can face hefty fines, sometimes in the millions of dollars.
Most people think of HIPAA as applying to hospitals and doctors' offices, but they apply to a broad range of organizations that handle protected health information (PHI). An organization that falls into this category needs a risk assessment to discover any weaknesses in its procedures. Compliance takes some effort, but it's much cheaper than being hit with penalties.
The HIPAA categories
There are three categories of organizations that need to comply with the privacy and security rules:
Health care providers
Health care clearinghouses
Each of them includes entities that are not limited to direct providers of medical care.
Health plans include any business that pays medical care costs, with a few exceptions. Insurance companies that provide health insurance are the main category. Employer-run health plans are included, if they have fifty or more participants, though workmen's compensation is not considered a "health plan." All plan providers need to safeguard the privacy of the patients; they keep data on and maintain an acceptable level of security.
Health care providers constitute a broader category than the name might suggest. Anyone who sends electronic data in connection with claims, referrals, and eligibility inquiries may be considered a health care provider, even if they never examine or treat a patient. This includes medical offices that handle only the business aspects of health care. Services such as dental and eye care fall under this category.
Health care clearinghouses are a broad category that falls under HIPAA's security and privacy rules. It includes any organization that does data conversions on PHI. Examples which the government cites include "billing services, repricing companies, community health management information systems, and value-added networks and switches." They are not generally subject to the full set of privacy rules, but they need to know what is required and make sure they comply.
Businesses that are not directly covered by HIPAA still have to keep it in mind if they process PHI on behalf of covered entities. They are called business associates, and the covered entity has to make them accept a contract that ensures compliance. These contracts will typically reference the privacy and security rules. Anyone who regularly acts as a HIPAA business associate should have a full set of compliance procedures in place.
The benefits of risk assessment
Most HIPAA breaches are not the result of targeted online attacks, but carelessness and accidents. Typical scenarios include not disposing of printouts properly and losing laptops or phones that contain unencrypted PHI. Even the possibility that the information has fallen into unauthorized hands requires reporting and remediation.
The best way to find out how well prepared you are is to run a risk assessment. An assessment from Total Computer Solutions will identify areas that need improvement and let you reduce your risk of an expensive breach.
It is not the loss of data as such, but a pattern of neglect, that brings on the really big fines. The way to avoid even the appearance of negligence is to have a well-documented set of policies and procedures. They need to specify how information is protected and what steps will be taken if a breach may have occurred.
An impressive-looking plan could have gaps in it. The best way to find them is an independent assessment. If your organization falls under the HIPAA privacy and security rules, contact Total Computer Solutions to set up a risk assessment and make sure your procedures are up to par.