Security has become the watchword on everyone’s lips of late. We take our personal and family’s security very seriously as well as the privacy of our credit records and identity information. Often we overlook the security of our medical record and healthcare information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA creates a standard for the security and protection of personal health information. Most healthcare providers from your physician to your pharmacist had until April 20, 2005, to become HIPAA compliant (some smaller organizations have until April 2006, to comply). Healthcare insurance companies, HMOs, employer group health plans, as well as government programs such as Medicare and Medicaid are also subject to HIPAA compliance rules. In general, the rules apply equally across public and private institutions.

The Security And Accessibility Of Your Healthcare Information

Until HIPAA, there were no federal regulations governing the distribution of health information and you did not have to be notified when your information was given to someone other than your healthcare provider. Often the reasons the information was released had nothing to do with your healthcare or medical treatment. Financial institutions, employers, and law offices regularly had open access to your health information and made decisions based on what your records contained. Just like your credit report, your medical record could easily contain mistakes and omissions. A prescribed medication left off a medical record could easily mean the difference between life and death if a healthcare provider was not aware of the patient’s taking the medication. HIPAA drives the accuracy and completeness of a patient’s medical record to guard against just such an occurrence.

Until recently most healthcare information was locked in a filing cabinet. Today the majority of your health information is saved in an electronic format. HIPAA addresses the electronic aspects of data integrity and security. Healthcare information must be secured by various means including passwords that change periodically, encryption for electronic data transmitted or carried offsite, and physical safeguards such as locked doors and access control to data systems. Healthcare data must only be accessed by authorized individuals who only have access to data relevant to their job function. The front desk registration staff, for instance, should not have access to diagnoses information on a given patient. That job function, or role, generally requires demographic information for registering the patient for the office visit. The billing staff, however, will need detailed diagnoses information to generate appropriate invoices for services rendered during the office visit. Each role in an organization is limited to the information necessary to that job function.