HIPAA is a comprehensive federal law enacted to:
Protect the privacy of a patient’s personal and health information
Provide for electronic and physical security of personal and health information
Standardize coding to simplify billing and other transactions
“Privacy” and “Security” are not even in the name of HIPAA, yet they present the biggest challenge under the law.
Its standards address the use and disclosure of PHI as well as standards for individuals’ privacy rights to understand and control how their PHI is used and shared
Examples that require patient’s authorization for disclosure of PHI include life insurance coverage, pre-employment physical, lab tests, pharmaceutical firms, etc.
Patient’s authorizations for disclosure of PHI is NOT required for treatment, payment, and health care operations
The Privacy Rule does not restrict the use of disclosure of de-identified health information
Fundamental to HIPAA compliance:
Conduct a Security Risk Analysis
Although this can be done by office personnel, an independent security specialist (usually IT groups) may be more appropriate, based on the size of the organization
Consists of two parts- risk assessment and an IT assessment
Output includes a detailed report outlining identified problems to fix
The Office of National Coordinator for Heath Information Technology (ONC) has an online tool designed to help physicians navigate the process of conducting a risk assessment