A survey published in 2017 reported 26% of people in the U.S. had their personal health information (PHI) stolen during a healthcare data breach.
When personal health information is stolen, it can result in medical identity theft. There are a lot of ways people can steal another’s medical identity. One of the primary ways is by fake billing medical insurance providers.
Medical identity theft is one of the primary reasons HIPAA exists.
What is HIPAA? How does medical IT support play a major role in safeguarding PHI? Continue reading to find out everything you need to know.
What Is HIPAA?
HIPAA stands for the “Health Insurance Portability and Accountability Act.” It passed into federal law in 1996 to set the national standard for the sharing of PHI. This standard protects medical records and other personal health information.
What qualifies as “personal health information” under HIPAA?
According to the law, PHI is health information that can identify an individual. This identifying information must be maintained or exchanged via electronic devices or kept as hard copies.
Who Is Covered by HIPAA?
You have likely gotten paperwork about HIPAA when you sign up at a new doctor or visit a new hospital. Which professionals must adhere to these standards? The easy answer is anyone who deals with PHI.
Like most things, the answer is not as cut and dry as that. Many businesses are surprised to learn they are covered by this law.
Let’s start with the obvious answers. All healthcare professionals in all settings must adhere to HIPAA standards. This group includes those working in health insurance, healthcare clearinghouses, and alternative medicine practices.
Let’s look at some of the non-obvious answers. Any lawyers or accounting firms working with the healthcare industry must adhere to these rules. Medical IT support must also follow these rules.
Medical IT support does not only include individuals working inside the hospital. This group includes outside vendors or tech companies who fix equipment in a healthcare setting.
How Medical IT Support Contributes to HIPAA
Many healthcare organizations do not realize the importance of medical IT support in complying with HIPAA regulations. These individuals have the potential to access a lot of PHI. Steps need to be taken to ensure they are compliant.
If your healthcare or organization works with an IT vendor, you must have a BAA in place. BAA stands for “business association agreement.” This agreement means the businesses you associate with are agreeing to also comply with HIPAA.
Beyond that, healthcare organizations need to research potential IT vendors before choosing one. Ask if they are compliant with current regulations. If they are not, you cannot legally work with them.
Internal medical IT support includes anyone who works with computers. This group might include your “tech guy,” or the person who fixes your computers. It could also refer to medical billing staff, registration, and others.
Rules & Regulations You Must Know
If you work in the healthcare industry, even by association, you should be aware of what falls under HIPAA. There are very serious consequences for violating this law. Small negligence cases might result in fines. Purposeful sharing of PHI could result in jail time.
What can or can’t you do under HIPAA? How does it relate to information sharing and technology?
These Communication Methods Aren’t Compliant
Several forms of communication people regularly use are not compliant with HIPAA regulations. Text messages and email are prime examples. Why?
These are open forms of communication. You might not be aware of it, but copies of all your messages stay on your service provider’s server.
Your healthcare organization has no control over the service provider’s server. So, they cannot ensure the information is safe. Anyone could find the shared personal health information.
There is an alternative method of personal communication used by healthcare organizations. Encrypted email and texting stored on an internal server to prevent outside access. These are considered safe under HIPAA standards.
The Security Rule for Medical IT Support
There is a set of guidelines called “the security rule” outlined by HIPAA. These guidelines are below.
All PHI must be encrypted when at rest or in transit. This means the data cannot be read if someone is not actively using it. The data also cannot be read if it is sent from one place to the next (like in email).
Every person authorized to access or communicate PHI must have a “Unique User Identifier.” This process allows the use of PHI to be monitored on an individual level. If there is an information leak, the source can be tracked down.
Any devices used to follow HIPAA must have an automatic log off. This option prevents unauthorized access to personal health information. In other words, whatever device you are using to access the information must log off as soon as you stop using it. This process prevents the information from being accessed when a device is left unattended.
All personal health information must be encrypted. Encrypting something means information is translated into code or unreadable data so it cannot be easily hacked. This encrypted data must also be stored on secure servers.
PHI Notice Posting
If you do not have a website, you do not have to worry about this regulation. In the modern world, it would be a great guess to say almost everyone reading this does have a website.
HIPAA regulations state all healthcare providers need an updated copy of their personal health information notice on their website. There are fines for providers who do not.
For More Information
Do you still have questions about HIPAA? Want to learn more about medical IT support and their role in safeguarding personal health information? Contact us today. We are more than happy to help!
Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.