- Volume 26 - Issue 3 - March 2013
- 1928 reads
- 0 comments
How Will The New HIPAA Rule Affect Your Practice?
By Brian McCurdy, Senior Editor
The Department of Health and Human Services has modified the Health Insurance Portability and Accountability Act (HIPAA) with changes that affect both patient access to records and security protocols at podiatry practices.
As part of the ruling issued in January, patients will have expanded rights to get electronic copies of their health records. The ruling also mandates that HIPAA covered entities notify the affected individuals, secretary of the Department of Health and Human Services and, in some cases, the media of any security breaches. The American Medical Association notes that the new rules require that physicians must assume the “worst case scenario” if patient information is breached, a stricter standard that mandates the reporting of any breach.
What kind of security system should practices have in place to prevent breaches in patient information? Anthony Poggio, DPM, notes that a self-audit as outlined by the Centers for Medicare and Medicaid Services, as part of Meaningful Use, is required even under the old regulations. He notes third parties can advise a practice on how to do this. He emphasizes that it is incumbent on the practice to put these processes in place whether under the old or newer regulations.
Bruce Werber, DPM, suggests that one relatively inexpensive step practices can take is to encrypt every hard drive in the practice and make it a policy not to take any computer out of the office that is not encrypted. He says the practice should ensure that any financial or patient data stored on the cloud is also encrypted. Paper charts should also be secure.
Dr. Werber speculates that identity theft has increased since the institution of HIPAA and that the government’s approach to protecting our identities and our medical information is “severely flawed.” He suggests training staff not to give any information out to anyone, letting the patient be the one providing protected data to company representatives and making sure the practice has patients’ permission to discuss their information.
Practices should also conduct background checks on employees, notes Dr. Werber, who is in private practice in Scottsdale, Ariz. Doctors should change passwords on the computer systems regularly. He also suggests keeping records of all of the practice’s security precautions, so if there is a breach, one can minimize potential fines or legal action by patients.
The Department of Health and Human Services estimates that the final rule would cost practices $100 million a year. “The revised HIPAA regulations are putting an increased financial burden on small medical practices, which appear to be totally unreasonable for groups of one or two or even three physicians,” notes Dr. Werber.
However, Dr. Poggio feels that the costs for practices to implement the new regulations would not change much as they were already required to have a privacy audit system if they have an EMR and have attested already. He says it would incur costs if no system is in place.
“It will be more time consuming to make sure that the system is in place and then to periodically monitor it to make sure it is functioning accordingly, says Dr. Poggio, a medical consultant to several national health insurance and review organizations. “So continually self auditing the system requires diligence.”
Is Ultrasonic Debridement Of Venous Leg Ulcers More Effective?
By Danielle Chicano, Editorial Associate