The trusted source for
healthcare information and
Start now to make sure your records are secure
Whatever final rules are issued, the Health Insurance Portability and Accountability Act (HIPAA) will mean that your office will have to beef up security of your patients’ medical records.
The data you will need to transmit are not clinical; they involve eligibility benefits and claims. You don’t need to communicate lab results, medical history, or physicals. But the law specifies that every bit of identifiable information about a patient be subject to strict security regulations.
"The standards are very thorough and wide of scope where security is involved," says Jim Klein, director of HIPAA compliance services for EDS in Plano, TX.
In addition to technological security, such as sign-ons and passwords, your practice will have to ensure that all your records are secure. You also must put controls in place to assure that only the people who need patient information will have access to it.
The privacy regulations will deal not just with electronic transmission, but also with access of data that stay within the institution. In other words, if somebody looks at a patient’s health records, you have to have a trail to know who looked.
Physicians need to start to look at the security procedures in their practices and come up with a formal compliance plan, the experts say. Even though the precise requirements are not yet in force, you should take action now.
"Providers may have to wait for definite standards before putting purchase orders into place, but my suspicion is that the final regulations will give a fair degree of latitude," says John Knapp, a health care attorney with Cozens and O’Connor in Philadelphia.
For instance, a large academic medical center with hundreds of affiliated physicians and several hospitals will need a much more sophisticated security system than a small group of physicians, he adds.
Christopher Assif, CEO of Health Network Ventures in Chicago, predicts that the Depart ment of Health and Human Services will require:
1. that you use a user name and password;
2. that data be encrypted when they are transmitted;
3. that you have security policies in place;
4. that your processes can be audited.
Start working on overall security in your office to ensure that file cabinets are locked, records rooms have monitors, and access to records is limited. Develop policies and procedures concerning what level of information your employees and staff need to have. For instance, do pharmacy staff need access to a patient’s medical records?
Ask your vendors to see what kind of changes need to be made in your system to put firewalls or passwords into your network that will allow different people access to different information.