HIPAA / HITECH are Enforcing More Fines that are Physician-Centric
During my IT update presentation at the 2014 PSR Leadership Conference, the following image was shown to illustrate various examples of physician-centric fines that HIPAA / HITECH violations are cracking down on.
Take for example the Cardiac Surgery Practice, in this case their patient schedules had patient names listed on them. The practice was using an Internet based calendar, like Google Calendar, that did not have the right security or password protection on it. As a result anyone with web-access that knew how to get to the calendar could just go to it and pull it up.
NOTE: There are many good, free, inexpensive Internet work or peer sharing types of tools, but very few of them are compliant by the Health and Human Services (HHS).
Paper records are still one of the most common ways of breech, but with all the things available out there you just need to be careful. I’ve had some many physicians ask about different solutions – ex: “Well I’m using DropBox for that.” Dropbox isn’t encrypted in a way that meets HIPAA / HITECH standards, therefore it isn’t secure.
Just remember that many solutions out there just will not work unless they are specifically flagged as HIPAA / HITECH compliant. Even then, there are some subtleties that you have to know. In particular, a level of encryption called Fips 140-2.
Fips 140-2 is a federal standard that meets what’s called a HITECH safe harbor clause, that if you lose the device or there’s a data breech, you’ve got that level of encryption. It’s basically your “get out of jail free” card. You can have a vendor that says they are HIPAA compliant, but if they are not doing that they are not meeting that safe harbor protection.
Want to learn more about PSR's observations on current healthcare trends? Check out the links below to discover more:
- The Impact of High Deductibles on the Emergency Department
- Optimizing Emergency Deparment Scheduling in Real-Time