What is the HIPAA Security Rule and Why is it Important
In the early 1990’s Senator Edward Kennedy and Kansas Senator Nancy Kassebaum had the foresight to recognize the need for the protection of electronic medical records while Information Technology was still in its infancy.
After years of public and private sector collaboration,The Kennedy- Kassebaum Bill was signed into law by President Clinton in 1996. It showed unanimous bi-partisan support, a virtual unicorn in the legislation arena After years of public and private sector collaboration.
“The Health Insurance Portability and Accountability Act”, or HIPAA , passed the Senate by the unanimous consent of 98-0. The act laid out the following goals:
- To guarantee that individuals would be able to maintain their health insurance between jobs. This was the “Health Insurance Portability” portion of the Act. It is relatively straightforward and is considered to have been successfully implemented.
- To ensure the security and confidentiality of patient information/data through the "Accountability" portion of the act. In addition, it mandates uniform standards for electronic data transmission of administrative and financial data relating to patient health information.
In 2006, Chip Kahn, then sitting president of the Federation of American Hospitals, said: "It's had a tremendous effect, it assumed a world that we are slowly heading for now". Having passed the 20th anniversary of the bill last August it seems to be an amazingly fortuitous statement. Still, Kahn probably would have been shocked to learn today how truly accurate his words have become.
Is HIPPA still important?
The bill itself has been amended several times over the past two decades and today we are focused in part on the passage of a related act, the Technology for Economic and Clinical Health or the HITECH Act signed by President Obama in 2009. Among other protective HHS policies, HITECH rocketed the medical records industry into the Information Technology Age by requiring for the first time that healthcare organizations upgrade their facilities to store medical records electronically by 2015 or face penalties.
The following are the HITECH requirements:
- To ensure the confidentiality, integrity, and availability of all e-PHI created by medical professionals with the ability to receive, maintain or transmit the data.
- To identify and protect against reasonably anticipated threats to the security or integrity of patient medical records.
- To protect against “reasonably anticipated, impermissible uses or disclosures” of e-Phi
- HHS requires that all organizations take both physical and technical safeguards while hosting sensitive patient data as well as full compliance with confidentiality law by their workforce.
Aesthetic medical records offer their own, unique challenges particularly when it comes to secure image storage and organization. Cultural norms have changed enough that elective surgery doesn’t carry the same taboos it may have a few decades ago, but the privacy of our patients is still one of the most important things that any practice provides.
It leaves us walking a bit of a fine line sometimes, we all know that impressive before and after photography can make or break our ability to maintain a healthy practice. In essence, this underlines the importance of patient consent when it comes to these files.
Unfortunately the rush to display good work has actually led to the occasional breach of HIPAA law, and intentional or not these breaches can hurt your clinic’s good name and cause repercussions that can last for years.
For many practices, this has led to a sense of trepidation about how to find the best systems for storing and organizing these records. There is tremendous competition in this industry. On one side is the race to provide solid, secure, cloud and farm-based software that allows for both impenetrable encryption and ease of use for aesthetic medicine records. For most of the planet, this is a quiet and rather selective race
The other side of this battle is far from quiet; in fact, it makes national and international headlines every year. Its participants are every bit as smart and dedicated to their pursuit as the first group and like the opposing group, competition is fierce. Ransomware has become a media hot-button, and these breaches in HIPAA security have been responsible for not only HIPAA violations but the complete freeze of EHS file access overnight. Thriving facilities are forced to grind to a halt, and what’s even more disturbing is that many police departments across the country advise victims to bite the bullet and pay up.
Legal intervention in these cases is typically ineffective and resources are simply spread too thinly for most cities to take on these cases and restore function to medical organizations within any acceptable time-frame. On a national and international government level, these cases have a sad history of ineffective solutions as well.
The importance of having an HIPPA compliant solution cannot be over-emphasized in our line of work.
Doing your part to make sure that your staff is properly educated in the management of your aesthetic medicine records is just the first step in ensuring patient privacy. Aesthetic medicine records have the kind of media appeal that often times leads to these records being leaked for any number of reasons.
Additional precautions that aesthetic medical practices can take:
- Explicitly state in writing why a photo is taken
- Supply guidelines on how photos (including before and after photography and any clinical /medical photography), videos, digital recordings, and other images are used to document care.
- Make every effort to retain rights to all photos and likenesses and offer open patient access to the photos at any time.
- Use a separate consent form for images of before and after photography used for publicity or teaching applications.
HIPAA today may have evolved into a different entity than the 1996 bill originally laid out, but its impact is still felt globally. We all strive to advance in the overall care and treatment of our aesthetic clients.
As you make your policy decisions it wouldn't hurt to keep in mind the thought of former Federation of American Hospitals President, Chip Kahn’s intuitive words:
That HIPAA “assumed a world that we are slowly heading for now". We don't know what new technology or policies are on the horizon, but, like the rest of human history, we can probably assume that they will remain ever-changing.
For an inside look at HIPAA Compliant Software: