HIPAA, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that covered entities must not use or disclose electronic Protected Health Information (e-PHI) without proper authorization.
HProtected Health Information is all Personally Identifiable Information that is held or transmitted by a covered entity or a business associate. This includes:
- Written information
- Information stored in computer systems
- Information transmitted orally
A proper Risk Assessment identifies and asses vulnerabilities in your office that would make your patient data susceptible to a breach or corruption of data. This correlates with the three pillars of HIPAA: Accessibility, Integrity and Security. Therefore you must be examining both the technical AND physical securities and limitations in your office.
- Each of your practice locations has a method for you to access your data. This means each location is a portal to patient information that we must safeguard.
- Each of your practice locations has it’s own set of computers, routers, firewalls and technical equipment.
- Each of your practice locations has its’ own physical location, physical security and physical risks.
- Each of your practice locations may have its’ own associated employees.
The Risk Assessment looks at all the risks for the individual location and provides you with a Risk Mitigation plan that is specific to the location.
There have been incidents in the past where an organization had a HIPAA Incident and upon investigation it was discovered that the Risk Analysis was not specific for the location. Consequently, the organizations experience large fines.
If a patient does not give you permission to give information to their spouse, under HIPAA you CAN NOT share information with the spouse. To do so would be a HIPAA violation.
Patients have a right to a copy of their medical records even if they have a balance. Failure to provide a copy of the medial records would be considered a HIPAA violation.