Privacy breaches of protected health information continue to be a problem for the entire health care industry. Facilities across the country have found themselves faced with fines due to the unauthorized disclosure of patient information whether accidental or not. High numbers of patient accounts are involved anytime a breach happens which can amount to several hundred thousand to several million dollars in fines.
Disclosures made regarding a patient's protected health information (PHI) without their authorization is considered a violation of the Privacy Rule under HIPAA. Most privacy breaches are not due to malicious intent but are accidental or negligent on the part of the organization.
Each medical office has a responsibility to their patients by federal law to keep their personal health information private and secure. Facilities seem to be at the mercy of their employees when it comes to making sure they are HIPAA compliant, however, the contrary is true. When the security of a patient's PHI is breached, it is an indication that there is a hole somewhere in their HIPAA compliance policy.
Although no policy is 100% secure, there are some areas that many facilities fail to address when planning, developing and implementing their policy for the privacy and security of patient information.
- Upgrade your medical office to an electronic health record system for the security that a paper-based record keeping system cannot offer. With an electronic health record system, information can be conveniently and securely transmitted over the internet. Electronic information can be shared with other health care providers or patients a lot faster than paper records by providing instantaneous access to the entire record.
- A secure computer network and internet connection to prevent malicious hacking.
- Limited access of PHI to medical office staff when the information is not necessary for their particular job function. This lessens the chance of access by anyone that is not directly related to the patient's care or does not require the patient's information to effectively do his or her job.
- Tracking software to log and monitor each time a staff member accesses or retrieves information as a way to flag suspicious activity.
- Distribution of the medical office duties in such a way that prevents any one person from having complete access to a patient's complete health record. This should be an integral part of the internal control policy.