Anyone who works with Protected Health Information (PHI) knows that some of the HIPAA security rules can be challenging. Beyond the effort of putting security in place and training personnel to keep this data safe, patients often get frustrated with some of the restrictions on how their data is shared.
It can be discouraging for everyone involved, but it doesn’t have to be.
Generally speaking, it’s not the security rules that are the problem, rather it’s how and why they are applied. We’ve broken down the reasons we need HIPAA Compliance in the medical world and put them into terms that apply to those who work in the field, as well as all of us patients.
Compliance is NOT Voluntary
Let’s start here. Whether you work in a medical office or are a patient, abiding by the security rules isn’t an option, it’s the law. Just as you can’t drive 100 mph through a school zone or walk out of a grocery store with a cart full of food without facing the consequences, healthcare organizations can face fines of $25,000-$50,000 for a single violation if they are out of compliance.
These standards were created to ensure patient privacy by establishing rules for the legal use of and disclosure of medical information. For most people, medical information is extremely personal, yet before these security rules existed, rarely enforced and inconsistent state laws were all we had. Congress had passed privacy statutes protecting driver’s license records, cable TV records, school records, and even phone records back in the 1970s, but it wasn’t until the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 that this most personal of information was finally protected.
No matter how it sometimes feels, these rules were put in place to protect us all.
The Rules are Evolving
The primary reason it took so long to get security rules in place is that critics assailed it from all sides.
- Office workers complained that sign-in sheets were too disruptive
- Administrators worried about not being able to share medical records with family members
- Doctors did not want to share their notes
- Patient rights advocates wanted stronger enforcement
- Many worried that enforcing compliance would bankrupt the healthcare industry
- Big business enjoyed all the legal loopholes that allowed them to collect data as they were
It was the Department of Health and Human Services (HHS) that put the rules in place, but it was up to the Office for Civil Rights (OCR) to enforce them. Early on, this proved problematic, and it was really the first decade of its existence that provided the negative reputation that HIPAA still struggles to get out from under. Between an inability to investigate breaches and inadequate enforcement, it seemed that the critics were right.
A string of laws including a HIPAA Compliance Deadline in 2003, the HITECH Act in 2009, and the final HIPAA Security Rule in 2013 proved that not only could these security rules work, but that the HHS was willing to adjust them to changing digital needs and the OCR had the teeth to enforce them.
What These Rules Mean To Us
As human beings, one of the things we struggle with most is inconsistent standards of behavior. We dislike it when someone is able to do something we are not allowed, and get away with it. The HIPAA Security Rule ensures that we all have the same rules. No one gets an unfair advantage.
Beyond this, it exists to protect individuals and ensure that we all have full access to a copy of our personal medical records, without worrying about this information being shared without our knowledge or consent. It is ultimately a civil rights issue that applies to anyone who creates, transmits, or uses individually identifiable health information. Of course, this doesn’t come without a cost.
For healthcare workers, it means following specific guidelines that include:
- using strong, unique passwords
- not sharing workstation logins
- managing minimum access to records
- attending mandated training
And as patients, we have to do our part to keep our personal medical information safe by:
- reading and signing disclosure forms
- using patient portals whenever possible to get information
- securing accounts with strong, unique passwords
- working with healthcare providers, not against them
For some, the HIPAA Security Rule affects how we work, for others it affects how we communicate, but ultimately it’s about keeping patient medical information secure for all of us.
Within the current Covid-19 landscape, we’re all experiencing more challenges. Healthcare has been forced to undergo sweeping changes that make maintaining privacy compliance even more difficult. Among these we have:
- Telehealth Visits – unless absolutely necessary, patients are making virtual visits, maintaining data protection over the internet requires new and more complex security procedures
- Increased Patient Ratios – between physical distancing guidelines and smaller available staffs, things can get hectic, creating the opportunity for HIPAA Compliance mistakes
- Multiple Care Providers – with more testing primary care physicians are receiving results from multiple labs, which means data moving at a faster pace that could lead to a higher rate of security errors
Maintaining secure PHI is important to everyone. With a little patience and understanding, we can all work together to stay in Compliance.
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small business, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com