Getting into Compliance: The HIPAA Security Rule

by APApractice.org Staff

Do you use password protection to control access to patient data on computers in your practice? Before you donate or dispose of a computer, have you used appropriate software to remove all confidential records from the machine?

These are just a couple of the questions that practitioners nationwide are facing as they consider whether they are in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The deadline for Security Rule compliance was April 20, 2005 and psychologists should evaluate whether they are in compliance as quickly as possible.

Practitioners are also urged to be wary of potentially fraudulent offers related to HIPAA. The Practice Organization has been alerted by the Office of the Texas Attorney General to a case of potential fraud regarding HIPAA compliance.

An organization describing itself as “The Office for HIPPA [sic] Compliance” is sending invoices for a HIPAA “Compliance Report” in the amount of $19.99 and attempting to obtain payment for the report from health care professionals [note that HIPAA was misspelled “HIPPA” in the invoice]. This issue is being investigated by Medicaid Fraud Control Units in Texas and Illinois.

There is no federal or state requirement that health care professionals need to pay for, or even be in possession of, a document known as a HIPAA compliance report.

The Security Rule is the latest rule requiring health care provider compliance under HIPAA, the federal law designed to protect the privacy and secure the storage of personally-identifiable health-related information. This rule requires practitioners to safeguard protected health information that is transmitted or stored in electronic form, which may include patient notes, e-mail with or about patients, and insurance or financial records with identifying patient information. The Security Rule outlines the steps a psychologist must take to protect confidential information from unintended disclosure through breaches of security.

In order to comply with the Security Rule, practitioners must conduct an assessment of potential security risks related to electronic protected health information in their practice. They must review their practice’s established security policies and procedures and modify or enhance them as needed to bring the practice into compliance with the rule. For example, compliance may involve establishing password protection for confidential data, installing virus protection on the computers and removing confidential data from computers before disposing of them.