In the healthcare industry, keeping patient information safe is an ongoing challenge, particularly in the digital age when data can be compromised due to unsecure networks and data breaches. 

Six months ago, the HIPAA Omnibus rule was passed and put into effect to provide additional protection for patient information. And while it is imperative to keep patient and client information confidential and protected, not complying with the latest compliance standards can cause penalties from the Office of Civil Rights.

A recent AE Tech Group report outlines five checkpoints to ensuring your establishment is HIPAA compliant:

Business associate accountability

According to the report, any company that sends or regularly accesses patient data is a business associate. Each associate is responsible for protecting the data they are entrusted with, which creates a sizeable liability for employees and employers alike. In order to protect yourself as an employer, make sure you have each employee sign a Business Associate Agreement that clearly outlines their responsibilities.

Patient access

The omnibus states that patients must have access to their medical records in whichever electronic format they prefer, even if the patient’s requested format creates a security risk. Hospitals and providers are only obligated to let the patient know about the increased risk, according to AE Tech Group.

Marketing partners

Providers cannot partner with a third-party service for marketing purposes unless they first receive information from each patient. In addition, if the third-party needs access to patient data, the patient must give permission before they are able to access any records. Marketing agreements that were already in place before the Omnibus rule have until September 23, 2014 to obtain permission.

Protected data for the deceased

After a patient passes away, the only people that providers can release healthcare information to is the persons family members, close friends or anyone that the patient indicated was involved in taking care of them. After a patient has been deceased for over 50 years, his or her data is no longer available.

The role of a risk analysis

The most effective way to measure compliance is to perform a regular risk analysis. If a data breach were to occur, the Office of Civil Rights will want to see evidence that the company performed a risk analysis, according to the report.


For related news on compliance regulations, read these recent stories:

New year & new you: In-house lawyer as in-house innovator

Former SEC enforcement co-director lands new litigation gig

WomenCorporateDirectors and Spencer Stuart enter partnership

Survey: Most organizations accepting credit cards don’t maintain PCI security standards