 |
|
 |
|
|
|
News |
|
Safeguarding Your Electronically Stored Medical Information |
|
Employers should take note of a recent HIPAA settlement that underscores the importance of safeguarding electronically stored “protected health information.” On July 16, 2008, the U.S. Department of Health and Human Services (HHS) entered into a settlement with Seattle-based Providence Health & Services (a not-for-profit health care system), following an investigation by HHS into the theft of optical disks and backup tapes that were left overnight in the personal vehicle of a Providence employee. HHS also investigated four separate thefts of laptop computers left unattended by Providence employees. The medical data on the tapes, disks, and laptops – which included information on more than 386,000 patients – had not been encrypted. Under the settlement agreement, Providence agreed to pay $100,000 to HHS and to implement a stringent corrective action plan that required Providence to: (1) revise and update its policies regarding the physical and technical safeguarding of electronically stored health information; (2) provide mandatory workforce training on the new safeguards; (3) monitor compliance through unannounced visits to its facilities and workforce interviews; and (4) submit detailed compliance reports to HHS for three years. By settling with HHS, Providence avoided the potential of costly civil penalties under HIPAA’s Privacy and Security Rules. Organizations that create, receive, maintain, or transmit electronically stored health information should have adequate security measures in place – including data encryption and password protection – to minimize the risk that information will be intercepted and disclosed in violation of HIPAA. On a related point, if your organization is served with a subpoena requesting documents that contain protected health information under HIPAA, there are specific rules you must follow when responding to the subpoena. The rules vary depending upon whether your organization is a party to the underlying litigation and whether the subpoena was issued with or without a court order. If your organization is not a party, and the subpoena was issued without a court order, the subpoena must include a written statement providing “satisfactory assurances” that the requesting party is complying with HIPAA. Those assurances include notifying the person whose medical information is at issue, giving him or her an opportunity to object, or obtaining a qualified protective order if that person was not notified. HIPPA does not permit disclosure of documents with private health information unless the subpoena includes this written “satisfactory assurances” statement. William B. Forrest III |
|
