HIPAA is not just for Healthcare – Part 1
Do you think HIPAA laws apply only to those in the medical community?
As a small business owner do you realize that HIPAA laws pertain to all employees who work with health related data?
Sarah Badahman, owner of HIPAAtrek, appeared on TNtv to discuss how HIPAA data protection laws include everyone who come into contact with medical related data, not just the staff at a physician’s office.
In Part One of a two-part series, Badahman discussed how a HIPAA breach is different than a typical cyber-attack.
This type of breach is an acquisition, access or disclosure of protected health information (PHI) in the manner that it is against the privacy rule of HIPAA. This rule is more stringent than a security breach since it not only involves electronic data, but also paper and other forms of media used in the records process. It goes beyond a typical security intrusion that involves only information stored electronically.
She indicated the government is cracking down on HIPAA violators. The authorities issued new rules in 2013 that make it more difficult to disprove that a HIPAA related incident has occurred. Once a breach has been reported, business owners should be aware that they will be presumed guilty until they can prove otherwise.
Four Factors of a HIPAA Risk Assessment
Four factors are used in a risk assessment to determine if a HIPAA breach has actually occurred.
One is the nature and extent to which the protected health care was actually involved. Did it involve just social security numbers or were infectious diagnosis codes released that could affect the reputation of the patient or individual.
It also involves who actually received the data. Was it a mother accidentally receiving information about her adult daughter or a large incident like the one occurring at Anthem where some 80 million records were reportedly disclosed?
Authorities will want to know if the data was actually acquired or viewed and the extent to which the breach or risk has been mitigated. Safeguards should be put in place to make sure a similar incident does not occur in the future.
Badahman also urged physicians and practice managers not to work on sensitive information over public non-secure Wi-Fi channels at a coffee shop, café or hotel.
Once a public network connection has been established, private EMR information can be accessed and seen by others.
This type of work should be done only on what is local to the device. It should never be transmitted through IP protocols that are not secure.
Badahman will have more information about HIPAA in part two of the series.
Watch Part 1 of the episode below!