One of these challenges involves HIPPA compliance, as the healthcare industry rapidly migrates from a paper focused system to an electronic health record system. The HIPPA Privacy Rule, which governs paper health records, has been around since the late 90s. The HIPPA Security Rule which governs collection and storage of electronic patient records has been around for about a decade. In spite of this, HIPPA breaches, litigation, and lawsuits have not declined.
The most common cause of HIPPA breaches continues to be the loss or theft of portable media such as laptops, pocket electronic devices, and smart phones. Most of these breaches occur out of the office and out of the hospital. Many have occurred with large well-equipped sophisticated healthcare organizations. The Sacramento California based Sutter Health System, for example, faces two class-action lawsuits as a result of the stolen computer, potentially exposing information on a large number of patients. On a smaller scale, many physicians carry mobile devices containing patient information in their pockets on a regular basis. These devices can be easily lost or stolen, thus exposing patient information and violating HIPPA Security Roles.
The obvious question is how can physicians, hospitals, and healthcare organizations avoid HIPPA Security violations and lawsuits in this rapidly emerging world of electronic and portable health records. Most experts believe that the steps to follow are surprisingly straightforward and the most lawsuits and violation complaints can be avoided by implementing a few simple procedures. Such procedures actually represent IT best practices anyway, along with common sense employee policies. These steps include:
1. Having a knowledge of the HIPPA Security Rules and doing a complete assessment of your organization’s hardware, software, communication and data storage systems and evaluate them for HIPPA Security compliance.
2. Having certain physician and employee policies in place such that no patient data can be downloaded to laptops or other portable devices. This is a function of policy and training as well as the IT system which should be set up in a way that does not permit downloading of patient information. Most significant HIPPA Security violations happen off premises and are related to portable devices and have nothing to do with the compliance of the IT system. Patient data should be viewed on portable devices behind a secure firewall and not downloaded.
Physicians will be forced to confront several other major legal and lawsuit challenges as the New Year begins and the affordable care act continues implementation. Some of these will be addressed in future blogs.
