HIPAA SECURITY STANDARDS COMPLIANCE REQUIREMENTS

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandates significant changes in the legal and regulatory environments governing the provision of health benefits, the delivery and payment of healthcare services, and the security and confidentiality of individually identifiable protected health information (PHI). A sizable percentage of the initial HIPAA regulations pertain to maintaining the privacy of PHI. On February 20, 2003, the final HIPAA security regulations (68 Fed. Reg. 8334) were issued by the United States Department of Health and Human Services. These regulations are designed to ensure that a covered entity, referred to as CE, meets the necessary security requirements for PHI.

The security rule’s objective is to protect the confidentiality, integrity and availability of electronic. PHI. Meeting the security rules; requirements means protecting health care information stored on computers and the data transmitted on computer networks, both internal data networks and external networks such as the internet. PHI must be protected from compromise due to abuse by a disgruntled employee, mishandling by unauthorized or untrained personnel, and unauthorized access by a hacker, intruder or anyone without the “Need to know” or due to any system outages.

There are four sections to the HIPAA Security Rule:

1. Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintain, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted.
4. Ensure compliance with these requirements by the workforce.

Each of these requirements must be further defined to put in place a practical approach to be able to comply.

1. We emphasize security policy definition compliance with all patient charts and information. We transmit billing electronically through the Medical Manager Health system which is HIPAA compliant. We keep charts and information away from patient access. All computer screens are not easily accessible for patients to read. Employees have been counseled and trained not to disclose patient information in any public area within listening range of non-medical personnel.
2. Risk assessment and risk management is the centerpiece of requirements for job performance to assess and identify any security vulnerabilities that could compromise patient health.
3. We do not sell our patient lists. We disclose this fact in multiple documents given to our patients. We do not release any patient information without the express written consent of our patient or legal guardians.
4. Our entire staff goes through annual HIPAA training as well as refresher courses throughout the year.