Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority of patient information is transferred over to digital format, organizations realize that they are exposed to certain risks. These hazards include disaster that may cause physical damage to computers that store patient information, corruption by virus attacks, and even stolen data by unauthorized personnel. Prior to the institution of the Health Insurance Portability and Accountability Act ("HIPAA") by Congress in 1996, there were no universal standards set in place to identify whether a healthcare provider was properly securing patient information. HIPAA was designed to promote the confidentiality and portability of patient records, as well as to develop standards for consistency in the health care industry. Under HIPAA, organizations adhere to standards related to protecting their systems, and patients can feel confident that their personal medical information will remain private.
This act applies to any health care provider, health plan or clearinghouse (collectively "Covered Entities") that electronically maintains or transmits health information pertaining to patients. If you are a Covered Entity, you must establish appropriate measures that address the physical, technical and administrative components of patient data privacy. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data. Among other things, Covered Entities are required to have a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan.
Why should your organization be concerned with this compliance? In 2009, Congress passed the Health Information Technology for Economic and Clinical Health ("HITECH") Act, which implemented stricter penalties for HIPAA violations and expands the organizations bound by HIPAA regulations to include business associates of medical offices. Business associates include software vendors providing EHR (Electronic Health Records), though there is room within the law to interpret other potential parties responsible for upholding HIPAA standards.i As an IT professional, ensuring that you already observe HIPAA rules will be beneficial if legal precedents establish you as a "business associate." By complying with HIPAA standards, you can maintain trust with your customers by preventing security breaches as well as financial loss.