More and more medical practices are learning the hard way that the requirements of the HIPAA Security Rule must be implemented. The first version of the Security Rule became effective in 2005 and has since been amended. Generally, there are two parts that every medical practice must comply with.
First, a written “risk assessment” must be conducted. This assessment forces you to study the storage and flow of your electronic medical record information. You are required to examine each of the Security Rule’s administrative, technical and physical safeguards. Some of these safeguards are required by the Security Rule and must be implemented. The Security Rule identifies the others as “addressable” and those may be implemented or not (but you should document that you have considered them and the reasons you decided not to implement them).
Second, if your electronic medical record information is breached and you cannot document that there is a low risk of disclosure, you must notify all the affected patients, the U.S. Department of Health and Human Services (“HHS”) and (if more than 500 affected patients) publish a notice in the local media. “Breach” is broadly defined as a disclosure of information in your medical record which is not permitted by HIPAA.
Breaches are now frequently occurring. When they do and HHS is notified (or a disgruntled affected patient contacts a regulator) it frequently requests information from practice to determine whether the risk assessment was performed, and the safeguards implemented. The medical practices that can show compliance with the Security Rule are in the best position to avoid fines and other sanctions. The opposite is true for those that cannot, often having to agree to consent orders requiring them to comply and to pay large fines ($100,000 plus is not uncommon).