When Congress first passed the Health Insurance Portability and Accountability Act (HIPAA) some twenty years ago, the vast majority of doctors and healthcare practitioners stored patient information using paper documents. While some doctors continue to use paper documents for this purpose, most have since made the transition to digital forms of media.
It's easier and more convenient to store patient information in a digital database than paper files. With paper files, the practitioner – or one of his or her employees – must rummage through large file cabinets to find a specific patient's file. This, of course, takes time and energy, both of which are a rare commodity in the world of healthcare practice. Opting to use a digital database to store patient information, however, allows practitioners and their employees to find specific files in the blink of an eye. They can simply search for the patient's name, after which the system will pull all of the patient's associated files.
But anytime personally identifiable health information is stored in a database, certain precautions must be taken to minimize the risk of unauthorized use or access. Data breaches have become a serious problem in the healthcare industry, with providers big and small reporting breaches. Depending on the nature and circumstance, such breaches can yield hefty fines for the doctor or healthcare practice responsible. The Office for Civil Rights (OCR) conducts annual audits of covered entities to ensure compliance with HIPAA. So if you're a covered entity who stores personally identifiable information in a digital database, you should familiarize yourself with some basic compliance tips.
As you may already know, HIPAA consists of several “Rules” that doctors and other covered entities must follow, one of which is the Security Rule. Unlike the Privacy Rule, the Security Rule pertains strictly to Electronic Protected Health Information (EPHI). Generally speaking, the Security Rule requires covered entities to implement physical, technical and administrative safeguards to protect EPHI from unauthorized use and disclosure.
Of course, some covered entities may outsource their database management to a third party, which is perfectly acceptable, assuming you use a Business Associates Agreement (BAA). When choosing a third party database management company, make sure they are HIPAA compliant. And before sending any EPHI their way, have them sign a BAA. Failure to use a BAA in this instance could come back to hurt you, as the OCR requires them whenever a third party has access to a covered entity's PHI or EPHI.