MACRA/HIPAA: Ignorance of the Law Is No Excuse
Many physicians believe HIPAA is a total waste of their time and money. That's because they think it's the federal government trying to force them to do something that they don't need to be doing. But, that's not the intent of the HITECH and OMNIBUS rulings. Much of the compliance that was put into place was because of the implementation of EMR/EHR systems in the healthcare industry. The federal government's Meaningful Use program even paid covered entities to transition from paper to electronic records. This created an entirely new set of cybersecurity issues that would need to be addressed.
Issues introduced by moving to electronic records (EMR/EHR systems):
- Securing the patient records (Protected Health Information) at rest (in databases, spreadsheets, faxes,copies, etc.)
- Securing the patient records during transmission (EMR in the cloud, emailing, faxes, network drives, etc.)
- Insuring the computers and networks had proper physical and cyber security in place.
- Insuring the staff was training to protect the PHI physically and electronically. Including cybersecurity awareness training of cyber threats.
The need for HIPAA is real. It is a well documented fact that the healthcare industry is lagging in the cybersecurity arena. They need to beef up their budgets, personnel, training, software, and hardware to improve the protection of PHI. Currently the U.S. Government says the average physician's office is 14% compliant. Think about that, would you bank at a financial institution if you knew they protected your money 14%? NO, you would find a new bank. Maybe it's time to ask your doctor, are you protecting my PHI? And if not, find a new doctor.
If you're a doctor, executive, manager, or owner of a covered entity and you have not improved your cybersecurity then you need to rethink HIPAA and take immediate action. Remember, Ignorance of the Law Is No Excuse. Don't take my word for it, see how it worked out for a doctor with the courts in this article Doctor Gets Jail Time for HIPAA Violation. You might read the article and think, "Well, I would never do that." That's probably true, but remember, he didn't lose any data, he just looked at it outside the allowed bounds of the law. The OCR is getting stiffer on their penalties. They now expect the covered entity to be responsible and take action to protect the patient's data and identity.
Protect Your Patients. Protect Your Practice. Protect Yourself™.