It’s been six months since the newly passed HIPAA Omnibus rule went into full effect. The goal of the new rule was to provide better protections for patient information.

For health providers and IT companies, it’s all about compliance, and non-compliance can bring stiff penalties from the Office of Civil Rights.

Have you ensured your office is aligned with the new requirements? Here are five things to check:

• Business associate accountability. The new rule expands how “business associates” are defined. In a nutshell, any company that sends or regularly accesses patient data is a business associate. This opens up a huge arena of liability. Each associate is responsible for protecting the data they are entrusted with, and the “source” of the data breach is the entity that will be held accountable. Business associates might include health IT companies, personal health record vendors, e-prescribing gateways or anyone that transmits or gathers your patient data. Be sure you are protected by having a valid Business Associate Agreement with all your subcontractors that clearly outlines their responsibility.
• Patient access. The rule stipulates that patients must have access to their medical records in the electronic format they prefer, even if the patient’s requested format creates a security risk. Hospitals and providers are only obligated to let the patient know about the increased risk.
• Marketing partners. Providers must obtain permission from each patient before partnering with a third-party service for marketing purposes. This would include third-parties that wish to sell to the patient or simply collect payment. If the third-party needs access to patient data, the patient must give permission first. Marketing agreements that were already in place before the Omnibus rule have until September 23, 2014 to obtain permission.
• Protected data for the deceased. Providers can release health care data regarding a deceased person to family members, close friends or others that the patient indicated was involved in their care or payment for care. However, data is no longer protected once the patient has been dead for 50 years.
• The role of a risk analysis. There are many aspects to the Omnibus rule. The most effective way to measure compliance is to perform a regular risk analysis. If a data breach were to occur, the Office of Civil Rights will want to see evidence that the company performed a risk analysis.

Health care is going through tremendous reform. Legislative requirements are continuing to evolve. As a result, it’s imperative for health care organizations to have an IT partner they can trust. AE Technology Group specializes in Health Care IT. We know IT and we know the health care industry, including IT HIPAA compliance.

Contact us to find out how we can ensure your office is in compliance and meeting legislative requirements.

HIPAA compliance is something that all organizations dealing with health records have to comply to for the sake of patient privacy. If you’re new to this industry and just learning what HIPAA stands for, it stands for the Health Insurance Portability and Accountability Act that makes sure all protected health information isn’t compromised.

But what IT steps should you take in order to make sure that happens? Those who overlook these things potentially face steep fines as well as thwarting patient trust.

Limited Access

You have to assure that only authorized personnel have access to medical files containing private information. This includes specific policies about who takes over workstations and who gains access to electronic documents. In those policies should also be a careful plan making sure health data doesn’t get compromised when being moved to another location or when it’s being destroyed.

Encryption and Audits of Electronic Documents

Encryption is going to be imperative when storing health documents in the cloud. With so much concern over hackers gaining access to electronic documents, a solid encryption system will bring the best possible safeguards HIPAA expects.

Audits complement encryption by providing a trail of who’s been accessing those electronic documents. You have to keep a close watch on who signs in and stop anyone who isn’t authorized. Fortunately, many electronic document programs have excellent logs that let you keep track of who’s been accessing the files.

Providing Disaster Recovery and Backup

You and your patients don’t want medical files missing if your building is destroyed during a natural disaster. HIPAA expects you to prove you have a reliable backup system that can be quickly accessed as part of a disaster recovery process. You should be able to move to another location and access those records in the cloud without any downtime. This can allow a continuity as if nothing happened and allows patients to access their files whenever they need them.

Proving Network Security

You’ll also need to prove some sort of network security that keeps your systems running as safely as possible. Things like virus software and firewalls will need to be employed and assured to be working or updated correctly. Security expectations extend not only into the cloud but also your email systems or Wi-Fi signals.

Keep in mind that any violation of these things could impose even stiffer fines based on The Health Information Technology for Economic and Clinical Health Act. This was an amendment that reinforces HIPAA to impose larger fines for companies willfully not complying to the regulations.

Yes, you could call it a psychological response to get companies to step it up in compliance. It’s also because so many companies are increasing the use of electronic documentation.

Here at AE Technology Group, we can help you get HIPAA compliant easily with our cloud solutions and other IT services.

Contact us about the comprehensive options we offer and how we can cover every angle. We work to understand your business first so we know exactly what you need rather than provide tech that may be superfluous.