HIPAA Privacy Rules were written and became effective in 2003. The privacy rules were followed by the HIPAA Security Rules, and the HITECH Act which brought us the “breach notifications.” Now we have the HIPAA Omnibus or Final Rules, which took effect September 23, 2013. This OPA webinar gives a quick overview of the rules and latest changes.
You need to comply with both the privacy rules and the security rules. This applies to anyone who has done anything with an electronic device such as a flash drive, disc, laptop, cell phone or computer. In other words, most of us will need to follow the HIPAA procedures unless you always and only have done paper records and you plan to retire in the next year or two. If you are starting from scratch I recommend the APA products found at apapracticecentral.org. For a fee, it provides separate privacy and security electronic versions of notebooks that you can personalize for your practice. Alternatives are to hire an attorney or work with colleagues who will assist you.
For a good understanding of the security rule click here.
Part of your HIPAA privacy and security procedures should include evaluating what type of encryption you need for your hard drive, software, storage discs or flash drives and email.
The recommendation of APA Practice Organization is to encrypt as much of your email as you can. The HIPAA Security Rule recommends but does not require this, but you could be penalized if emails go to the wrong patient or include protected health information. Notification and consent from the patient that they understand that email is not secure might help, but is not true protection from having to give a “breach notification” if information gets out inappropriately. The security rule recommends that you double check the address of an email recipient and that you limit the amount and type of information that it includes.
For general information about encryption, visit this link.
This website leads you to the information from HHS about storing and destroying data. However, the information contained in the links is technical and very complicated. It is intended for the techie vendors. If a reputable vendor claims that they meet government encryption standards, you could ask for their written confirmation of that in your business associate contract with them.
This resource from the Office of Civil Rights discusses more about the Privacy Rule. Question three may be most applicable on emails. It also states that it is okay to receive patient initiated email, but the patient should be reminded that it may not be secure and be given the option to stop using email.
This resource provides more information about security rule compliance for the small provider.