1. The HIPAA Security Rule has not been updated since it went into effect in 2005.
2. Since ASCs don’t generally qualify for ARRA/HITECH stimulus funds, because they are intended for hospitals and medical practices, the new HIPAA Security Rule updates do not apply.
3. Since ASCs frequently do not have or use electronic medical record (EMR) systems, the new HIPAA Security Rule updates do not apply.
4. If you don’t apply for or accept any ARRA/HITECH stimulus funds, you don’t need to do anything to update your HIPAA Security Rule compliance.
5. If you are compliant with HIPAA Privacy, that extends to HIPAA Security.
6. Business associate agreements covering HIPAA Security do not need to be revised.
How did you do? If you answered a resounding “false” to all six questions, and if you have taken steps consistent with those answers, then you are ahead of the pack.
The ARRA/HITECH stimulus package approved in Feb. 2009 was intended to increase the adoption of EMR systems. As part of that legislation, there are significant updates to the HIPAA Security Rule. All covered entities — and this includes ASCs, imaging centers, physician-office surgery suites and specialty hospitals — are required to comply. Some of the more important updates include the following:
• Fines and penalties are significantly increased, from a maximum of $250,000 to $1.5 million.
• If you have a breach of electronic patient data, you are required to notify each patient affected, both in writing and electronically. In addition, if you have a breach involving more than 500 patient records, you must contact the local media.
• Patients and other “whistle-blowers” may have some stake in the fines. There is therefore a financial incentive for them to report suspected breaches.
• Business associate agreements must be rewritten to cover the new requirements. In addition, even if you execute new BA agreements, your facility is still liable for any breaches by any of your business associates.
Note that these updates are not connected in any way to stimulus funds or EMR systems. In other words, the new rules apply regardless of whether your facility is using an EMR and regardless of whether you are seeking stimulus funds.
Also note that HIPAA Privacy compliance has nothing at all to do with HIPAA Security Rule. HIPAA Privacy covers paper records, forms and procedures. The HIPAA Security Rule deals only with electronic records — in any form — that are generated, stored or pass through any of your facility’s IT systems. This includes laptops, desktops, servers, storage systems, USB drives, CD/DVD-ROMs, smart phones, PDAs, voicemail systems and many types of fax machines and scanners.
On almost a weekly basis there is a new and alarming report of a data breach, many times involving electronic health records. You do not your facility to end up in the news, at least not for that reason.
Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.
