It is becoming increasingly common for healthcare providers and affiliated entities to store protected health information in electronic form. As the healthcare sector becomes more mobile and efficient, the potential for data security risk increases. For this reason, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) is designed to protect this information.
At O’Connell and Aronowitz, our experienced health law attorneys work with providers and covered entities in developing procedures to ensure they are in compliance with the HIPAA Security Rules. We also assist health-related businesses when they have been victims of identity breaches.
Electronic Protected Health Information (e-PHI)
The Security Rule is designed to enhance the protection of health information that is covered under the HIPAA Privacy Rule. In particular, information that a covered entity creates, receives, maintains or transmits in electronic form is protected under the Security Rule and is deemed to be “electronic protected health information.” The rule applies to health plans, health care clearinghouses, and any healthcare provider (or “covered entity”) that transmits health information in electronic form.
The Security Rule requires covered entities to implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of all e-PHI. This information cannot be made available to unauthorized persons, nor be altered or destroyed in an unauthorized manner; it must be accessible and usable on demand by an authorized person.
In order to achieve these objectives, it is necessary for covered entities to undertake a Security Risk Analysis to identify potential data security threats and take steps to protect against them as well as to prevent anticipated, impermissible disclosure or use of e-PHI. Similar to the Privacy Rule, the Security Rule also requires appointing a security officer who is responsible for developing and implementing written policies and procedures. Lastly, covered entities must also establish a compliance training program for its employees.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery Act of 2009. The law is designed to promote technology and encourage healthcare providers to store patient files electronically. The law essentially expands the responsibilities of healthcare providers and affiliated businesses under the HIPAA Privacy and Security Rules. Lastly, the Recovery Act offers incentives to healthcare providers to transfer their information into electronic form, but also requires periodic audits and has penalties for noncompliance.
Data Breach and Security Compliance at O’Connell and Aronowitz
At O’Connell and Aronowitz, we work closely with healthcare providers and other covered entities to ensure they are compliant with the Security Rule under HIPAA and the HITECH Act. We advise security officers on how to prepare written policies, develop oversight capabilities and work with clients to implement security risk analyses and prepare for audits. While electronically storing patient information is designed to improve efficiency and enhance the delivery of healthcare, implementing safeguards to minimize the risk of data breaches requires the advice of our experienced health law attorneys.