Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse.
Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws. In some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.
Although numerous privacy and security laws apply to healthcare entities, HIPAA rules and requirements tend to receive the most emphasis?and generate the most angst. The terms HIPAA-compliant vendor, HIPAA cop, and HIPAA disciplinary action are anathema to experienced and serious privacy and information security professionals. HIPAA, as has been noted, represents the floor of requirements intended to protect the privacy and security of patient information. More stringent privacy requirements have existed at the state and national levels for several years before the HIPAA Privacy Rule was implemented (e.g., state medical records laws and requirements). Notably, many organizations implement policies and procedures that are more stringent than that required by HIPAA. Some of this is due to misinformation or misunderstanding of the HIPAA rules.
Small- to medium-size clinics often operate under the assumption that their outsourced IT shop or managed services provider (MSP) is providing a robust security solution, but this is not always the case. MSPs aren't necessarily falling down on the job, though; remember that just because something is outsourced doesn't mean the vendor will manage all of the risk. In the end, if you want additional services from your MSP, it costs money. RapidFire Tools® offers a solution MSPs can use to address risks that many small- to medium-size clinics may falsely assume are already managed.
