Living With HIPAA Privacy Rule While Preparing for Security
It has been well over a year since the HIPAA Privacy Rule
became effective on April 14, 2003. During that time, healthcare
organizations have been working through the expected and unexpected
impacts of the changes required to fully comply with that
rule. Now as they deal with other HIPAA rules, these same
organizations need to prepare for the April 21, 2005, implementation
of the HIPAA Security Rule. It is wise to consider how Privacy
needs to be integrated with Security. There have been numerous
published articles and studies that speak to this topic and
this short document touches on several key aspects.
While implementation of the Privacy Rule has led to better
understanding by the public of health information privacy
concerns, and has no doubt enhanced the privacy of that information,
the growth of electronic health record technology is making
it much easier to disseminate health data more widely for
legitimate purposes. HIPAA permits disclosing such data for
payment, treatment and other uses. The expansion of technology
is also allowing clinicians to consult with their peers not
only in the United States but in other parts of the world.
As institutions move toward implementation of the HIPAA Security
Rule, their plans should include addressing such Security
and Privacy crossover concerns as:
- Data sent to foreign countries even for legitimate purposes
is not governed by HIPAA privacy rules in those countries.
This may require domestic providers to use more secure means
of data transmission and require assurances that data privacy
is protected.
- There is an increasing use of email between patients and
providers regarding their health data. Data security is
essential for this legitimate exchange of information to
remain private.
- The business structures of many healthcare institutions
are becoming more complex. Enterprises may include one or
more hospitals, owned physician practices, hospital employed
physicians who are not based in the hospital, and other
situations. Ensuring both privacy and security of health
data can require a great deal of planning across the corporation.
- Over the past few years there has been an increasing trend
toward more use of contractors and contract services companies
in various areas of hospitals. This has begun to move beyond
the typical outsourced Environmental Services or Food Services
areas, and into healthcare itself and management of health
data. Aside from technical data security, an institution
must manage such contractual situations to ensure both privacy
and security of health data.
These are only some of the potential HIPAA-sensitive situations
an institution may encounter as our healthcare and technology
environment continues to evolve. They illustrate that three
of the most important keys to effective HIPAA compliance are
to analyze the risks to data privacy and security together,
ensure that correct contractual and procedural safeguards
are in place -- and remain alert to changes in how health
data are being used.
Jerry Bok,
Director
Phoenix Health Systems
|
