Earlier this year, the HHS released the HIPAA/HITECH “Mega Rule”. While most of the country was in the middle of preparing for Health Care Reform, taxes, etc… this may have snuck up on you and your team. What does this mean for you?
- Review of Data Breach Response Plan or Unauthorized Disclosure (presumed breach vs. significant financial/reputational risk)
- Changes to Business Associate Agreements
- Fundraising + Marketing Communications
- Notice of Privacy Practices
- Potential Penalties
- Encryption of Mobile Equipment
I have often heard an argument that small hospitals and smaller/solo physician groups should not be concerned because rules like this are only enforced for the large companies or large breaches. Similar to Health Care Reform, burying your head in the sand will not get you out of trouble here. For example, a hospice provider in Idaho was fined $50,000 for a breach that affected 441 patient records. This is a landmark event because according to many sources, this is the first fine of this size for a breach of less than 500 records. Goodbye to the argument of we are too small for this to impact us!
Who is responsible for protecting this information? In one word, EVERYONE! This includes your staff, your independent contractors, business associates, and every person who steps foot on your property.
Personal Health Information is extremely valuable. You might wonder why, but think about your information – social security numbers, contact information, family/spouse names, finance information, past medical history, prescription drug card, etc… etc… & etc… Medical Records contain a significant amount of personal history and they are not easily cancelled (like a credit card).
Like most risks, education is the first step. I would recommend consulting with your company’s key advisors, associations and internal team (Chief Privacy Officer) in order to develop a plan to best protect your employees and your patients secure data.