Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse.
Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws. In some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.
Although numerous privacy and security laws apply to healthcare entities, HIPAA rules and requirements tend to receive the most emphasis?and generate the most angst. The terms HIPAA-compliant vendor, HIPAA cop, and HIPAA disciplinary action are anathema to experienced and serious privacy and information security professionals. HIPAA, as has been noted, represents the floor of requirements intended to protect the privacy and security of patient information. More stringent privacy requirements have existed at the state and national levels for several years before the HIPAA Privacy Rule was implemented (e.g., state medical records laws and requirements). Notably, many organizations implement policies and procedures that are more stringent than that required by HIPAA. Some of this is due to misinformation or misunderstanding of the HIPAA rules.
In the wake of several large breaches, OCR is ready to ramp up its oversight of HIPAA compliance as it embarks upon Phase 2 of its HIPAA privacy, security, and breach notification audits. OCR began preparing for this round of audits around the same time that news broke of the second-largest HIPAA breach in the U.S., a hacking incident that affected 4.5 million patients treated at or referred to Tennessee-based Community Health Systems, Inc.
1. Phase 2 of OCR's HIPAA audits will be desk audits, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available.
A mobile workforce in the healthcare industry presents a unique set of HIPAA privacy and security challenges. As the number of large HIPAA breaches increases and OCR ramps up audits, organizations cannot afford to risk their bottom line and reputation by failing to protect patient privacy and security.
