Privacy in the healthcare industry is not only expected but has been mandated. HIPAA, which stands for the Health Insurance Portability and Accountability Act of 1996 is enforced and maintained by the Office for Civil Rights. The U.S. Department of Health and Human Services created the Privacy Rule in order to implement the requirement of HIPAA. This rule sets a national standard that addresses the use and disclosure of a person’s health information.
Protected health information is that which can be deemed individually identifiable. This is not limited to the obvious identifiers such as names, addresses, birthdates, and social security numbers. Protected health information includes details that any health care provider puts in your medical records, information regarding your insurance coverage, billing history and even conversations between patients and healthcare workers. All healthcare workers and even contractors that have access to an individual’s information must be properly trained in HIPAA procedures and made aware of all changes or updates.
Technology plays a vital role in the way business is conducted throughout the medical field. Electronic communication has become an integral tool and common method of performing day-to-day transactions. Some of these activities include appointment scheduling, payment and procedure authorizations, submission of insurance claims, patient referrals, lab results and even medication refill requests. Although these types of communications have improved the quality and efficiency of care, matters of privacy remain a major concern.
Utilizing the Internet in the healthcare industry poses security concerns regarding patients’ personal information. Maintaining confidentiality can and must be achieved through a series of mandatory steps. HIPAA requires healthcare offices to secure their computer networks. Firewalls and virus protection must be set up to safeguard against hackers, identity thieves, and viruses that may be able to intercept communications. Email notices are another part of the security process. They are message alerts located at the bottom of emails warning recipients that the information included is private and confidential. It goes on to explain that the email should never be forwarded or shared and if received by error, should not be opened.
In keeping with HIPAA standards, email subject lines must be non-descript. Patient information is never allowed to be included in the subject line of emails. Anything that is visible prior to opening the email must be generic. Any patient information must be located in the body of the email or sent in an attached document.
Another main safeguard is email encryption. HIPAA laws require a gold standard of military-grade 256-bit encryption for data that is being stored and transmitted over open networks. This standard does not require encryption for information sent over closed networks such as an internal
intranet, although it is allowed. This process consists of scrambling email messages that are only decoded when the recipient enters the correct passcode. The code is previously set by the sender and is sent separately to the patient or person receiving the information. To further protect sensitive data, HIPAA compliance prohibits encryption keys from being stored on the same server as email transmissions.
Failure to voluntarily comply with the Privacy Rule can result in civil money penalties or even criminal sanctions. Punishments can vary drastically depending on several factors; date of the violation, whether or not the party knew or should have known they were out of compliance and if their failure was due to willful neglect. The Office for Civil Rights has wide discretion when determining violations and imposing penalties. If found guilty of violations of the Privacy Rule, individuals and or entities may face fines up to $250,000 and up to10 years imprisonment.