The healthcare industry is continuously evolving, and health information technology (HIT) is changing with it. Organizations should take advantage of the technology available to improve healthcare operations but must be aware of the risks that HIT can present.
Q: I work in long-term care and I am familiar with the language in HIPAA regulations regarding requests for electronic copies of medical records for a reasonable fee according to community standards. However, my company does not maintain its medical records in electronic form, nor do we presently have the capability of converting our paper records into electronic format. Our state legislature addressed the issue of "reasonable charges and community standards" by state statute in 2006 by providing a formula for every medical provider to follow state-wide for copy charges regarding paper copies.
Even organizations with sound policies, procedures, training, and safeguards can experience a breach. When?not if?a breach occurs, traditional insurance may not be enough to cover the damages. Ensuring that your organization has adopted the appropriate cyber insurance can be valuable in the event of a breach.
There are many misconceptions about HIPAA throughout the healthcare industry. In particular, business associates (BA) who provide cloud services to covered entities (CE) often have the misconception that they do not need to be concerned with HIPAA if they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). BAs with this school of thought should be prepared to get their checkbooks out when the Office for Civil Rights (OCR) comes calling.
