Many mental health practitioners have disregarded much of HIPAA and HITECH because enforcement has been lax to date. However, on 12/14/12, the chief enforcer of HIPAA, Leon Rodriguez, director of the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), reported that his organization is transitioning from an investigative culture to a culture of assertive enforcement.
While OCR states their agency is committed to “doing enforcement in a balanced way that is coupled with education while still remaining sensitive to business realities, punitive measures, such as monetary settlements, will become increasingly more common in 2013.
A key factor driving greater enforcement is the shift to electronic health records and health information exchange systems. The essential foundation of these systems is patients’ trust in the security of their health records.
Unfortunately, risk assessment and management often present formidable challenges for small mental health practices. It can be helpful to be aware that the most serious security threats are theft, loss and unauthorized disclosure. Therefore, it’s crucial for practices to take the implementation of physical and administrative security measures as seriously as technological ones. To maintain good security, a holistic approach is needed to regularly assess vulnerabilities with people, processes and technology.
For example, it is a surprise to many practicing professionals to learn that they might be a “covered entity” based on their prior actions, and that at this point, it is wisest to assume that one is a covered entity to avoid any problems. It is best to undergo training to fully understand requirements. For instance, text messaging must be conducted using proper privacy and security precautions as dictated by both state and federal (HIPAA and HITECH) law.
As we reported last June, in our article called, Why Worry about HIPAA? the Justice Department is enforcing HIPAA through the enforcement tools put into place by the 2009 HITECH Act, which clarified that criminal penalties apply to individuals and not only to covered entities.
According to statistics from HHS reported in that article, the most commonly identified entities requiring corrective action for compliance have been (in order of frequency):
- Private Practices
- General Hospitals
- Outpatient Facilities
- Health Plans (group health plans and health insurance issuers)
What are Some Key Solutions for Practitioners?
You may need to demonstrate that you have been using a technology platform that is HIPAA compatible. Such documentation is most easily achieved through the procurement of a Business Associate’s Agreement from all vendors. Other requirements are too involved to detail here, but some include the need to educate staff of their HIPAA duties and ensure their compliance. Documentation of such training for staff is also required. HIPAA requires that a practitioner’s breach notification policy exists, and that it is made available to the public.
What about Using Mobile Devices?
HHS has also recently launched a campaign to help practitioners be more aware of privacy issues with mobile devices. The steps they recommend are: “Decide, assess, identify, develop and train.”