Resource:

12 Steps for Protecting the Privacy of Your Patients

Tool

Challenge: Clinical Integration  Financial Sustainability  

Content provided by AHA Endorsement partner: ID Experts

A Checklist for health care privacy, information security and compliance officers to reduce risks associated with the unauthorized disclosure of PHI.

According to a 2010 study by the Ponemon Institute, data breaches are costing the health care industry nearly $6 billion a year, risking the medical and financial well being of breach victims and damaging the reputation of the health care providers.1

Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed by President Obama in February 2009, seeks to streamline health care, improve quality and reduce costs through the use of health information technology. The HITECH Act dedicates over $31 billion in stimulus funds for healthcare infrastructure and the adoption of electronic health records (EHR), including funding for the meaningful use incentive programs.

To ensure public confidence and patient privacy protection with the digitization of health records, the HITECH Act strengthened the existing HIPAA Privacy & Security Rules while mandating a new Breach Notification Rule (45 C.F.R. Parts 160 & 164 & Sub-Part D). Enforcement of these Rules is the responsibility of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Health care organizations are expected to fully comply with these rules as evidenced by OCR investigations and levying of unprecedented fines and corrective action plans.

Given their jurisdiction for enforcement of the HIPAA Privacy, Security and Data Breach Notification Rules, OCR has been investigating many covered entities that have reported data breach and other privacy incidents, but only recently have they also sent out a “wake up call” that they plan to be aggressive about enforcing rules and penalizing those entities that have violated these rules. In March, 2011, they assessed a $4.3MM penalty on Cignet Health and agreed on a $1.0MM resolution amount based on a resolution agreement with Massachusetts General Hospital. These penalties are indicative of a new era of enforcement by HHS/OCR, and an indicator that they plan to put “teeth” into their HITECH era investigations.

It is with this background in mind that we’ve evaluated and documented the top 12 steps that all HIPAA covered entities should take, both pre-breach and post-breach, in order to reduce the risks that they face.

Download this tool today to ensure your data breech response plan meets basic regulations.