By Scott Schimpf and Mary Cremeans
Thinking through data
With increasing demands placed on medical offices by patients, pro- viders, payers, and others, it’s understandable that data privacy
and security measures may not be top-of-mind
issues. But the U.S. Department of Health and
Human Services (HHS) Office for Civil Rights
(OCR) is not so understanding.
In the first 10 months of 2017, the agency
tasked with enforcing the Health Insurance
Portability and Accountability Act of 1996 (HIPAA)
announced nine settlements where affected
entities paid more than a combined $17 million.
And if you think that small group practices are
somehow exempt from the regulations, think
again. A pediatric gastroenterologist practice of
just six physicians agreed in April to pay $31,000
for disclosing personal health information (PHI)
to a business associate (BA) without a BA Agreement (BAA) in place. The entities signed a BAA
after an OCR investigation was launched against
the vendor, but that was not enough to stave off
a settlement. In this instance, the group practice
did not face scrutiny until the vendor caught the
attention of OCR.
Any entity privy to PHI is covered by HIPAA
regulations, which include medical practices
and the entities with which a practice exchanges
data—insurers, clearinghouses, laboratories,
and referral partners, among others.
follow six steps