The medical information a patient shares with any healthcare provider should be private information. HIPAA is the formal way to assure patients a provider takes the commitment to protect their medical information seriously. Healthcare providers make three commitments to their patients to give that assurance.
- Commit to respect the privacy of all healthcare information and give patients a list of ways they will use or disclose the information within the industry standard guidelines. Also, committing to get a patient’s specific, written authorization to do things outside those industry standard uses and disclosures guidelines. (The Privacy Rule).
- Commit to follow industry standard guidelines for securing patient information in any place it is stored or accessed by staff of the provider organization as well as any other organizations or contractors the provider relies on to run their business (aka Business Associates or BAs). (The Security Rule).
- Commit to tell the patient (and proper authorities), as soon as possible, if any unauthorized access to the private information occurs because everyone understand there is no such thing as completely secure and infallible systems for paper or electronic information. (The Breach Rule).
The 2013 updates to HIPAA clarify and update some specifics on what those industry standard guidelines should be plus require those who have access to private patient information to prove they really do take patient privacy as seriously as these three commitments state.
Some organizations have made the commitments but never actually following through on them and a lot of patient information was released when it shouldn’t have been. How can a patient trust their healthcare providers commitments unless someone is checking for these things and punishing those who fail to do so?
Doing business in any industry today requires businesses to take precautions to protect all their business information. The Medical Industry happens to have access to a lot more information than most other industries and they must have guidance on what should be done to protect all that data.
The best response I have ever heard to Why HIPAA goes:
You can cancel a stolen credit card or close a bank account but you can’t disconnect yourself from your medical records if they get into the wrong hands.
This blog will cover the HIPAA requirements from the perspective of small providers and small businesses that support them as their business associates under HIPAA. Many of these entities have a lot of work to get done in a short amount of time.
I am right there with you but from a unique perspective, over 25 years in small provider and business associates consulting and technology support, programming, customer service, training and more. Let’s roll up our sleeves and get to work on this compliance thing. Protecting patient medical information to the best of our abilities really is the right thing to do and the most important thing to remember in the process.
Filed under: HIPAA Tagged: Business Associate, Compliance, Health IT, HIPAA, HITECH, information hipaa, private patient, Small Provider