Warning! HIPAA is now larger, with teeth and ready to strike!

After the ARRA (American Recovery and Reinvestment Act) or “The Obama Stimulus Bill” was signed into law in February of 2009 there are many new provisions for HIPAA to be aware of. The section of the bill known as HITECH (Health Information Technology for Economic and Clinical Health Act) is of concern.
What’s different? To begin with, HITECH adds the following requirements to what is already in place for “covered entities”.
• Mandatory annual audits by Health and Human Services to ensure compliance.
• Fines up to $1.5 million for violations.
• Business Associates Agreements are now required for vendors and partners who have access to your patients’ private health information (PHI).
• If there are unauthorized disclosures of PHI it is now mandatory to notify those whose PHI was accessed (patient) , to Health and Human Services and (if large enough breach) the media!

Have you reviewed your organizations IT to ensure your systems are in compliance? What about faxing or e-faxing, are you taking measures to ensure these are in compliance? Is your website HIPAA compliant? Are emails encrypted if they contain PHI? Does your organization have a disaster recovery plan in place? Has your site ever been audited by a third party for HIPAA compliance?

Traditional Faxing and HIPAA
We are often asked questions by physicians and practice managers regarding faxing and HIPAA compliance. One would assume following the logic that email containing PHI cannot be sent unsecure that FAXing is also a no-no. That’s not entirely true.
HIPAA states in the “Safeguards Principle”: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use or disclosure.
As you can see from the above, HIPAA lays out rules and guidelines but doesn’t offer any solutions to get this implemented (especially in the case of FAXing). With email it’s quite simple to meet the above by using end to end encryption. However FAXing isn’t quite so “cut and dry”
What sensible steps can you take for HIPAA compliant FAXing?
1. Use a cover letter. This will help to avoid any casual or accidental reading of PHI.
2. Send only the necessary PHI, no more.
3. Use saved speed dial numbers for entities that your practice faxes often. This will help prevent dialing wrong numbers.
4. Verify any new fax numbers with a test fax.
5. Document in your “Policies and Procedures Manual” what to do if PHI is accidentally faxed to the wrong location.
6. Make sure your fax machine DOES NOT save copies of received faxes. This is a simple configuration on the machine.
7. Never leave PHI sitting on fax machine once received or sent.
8. Do not fax if there are other “more secure” ways to deliver PHI (i.e. encrypted email, by hand, etc.)

Comments are closed.