If you are working in the medical industry, you’ve heard of Health Insurance Portability and Accountability Act (HIPAA). then you know that the Health and Human Services (HHS) issued the act and within HHS the Office of Civil Rights (OCR) enforces the act. The OCR will proactively before and incident or re-actively after an incident audit Covered Entities (CE) to verify HIPAA compliance. The OCR has the right to fine the Covered Entity that is out of compliance.
When an OCR auditor comes to the Covered Entity, the first thing they will ask is to speak with the HIPAA Privacy Officer. The privacy officer will then shoulder the responsibility of working with the OCR auditor to provide all HIPAA required information.
HIPAA outlines five specific requirements a HIPAA privacy officer is responsible for.
The HIPAA Privacy Officer role requires an overall understanding of the business mission and vision in relationship to the protection of patient records. HIPAA is very specific about protecting patient records. On the other hand, it is very flexible in allowing the Covered Entity to define how that will be done. The Privacy officer is a requirement in being HIPAA compliant along with the business executives in the organization outline the Covered Entity plan for protecting patient data.
The following is a list of responsibilities a HIPAA Privacy Officer (but not limited to).
This is a bare minimum list of responsibilities that meets the legal requirement. Since the 1990’s there are many new problems that hospitals and clinics face. The assumption is that HIPAA compliance covers all needs and ensures success. The reality is that the hospital, clinic, insurance agency and other Covered Entities are expected to define and redefine what HIPAA compliance means. When there is a breach, it’s obvious that there was a problem. Waiting until it’s obvious is the most expensive way to solve the problem.
What We Recommend
What we recommend originates from the HIPAA requirements, which is the Covered Entity's policies should be regularly audited and be reviewed by management. In addition to the basic legal requirements required by the law, an organization should be looking past the minimum requirements. With a constant improvement in technologies for hackers, the bare minimum is not enough. There is a hacker’s saying (said with laughter) and from the hacker’s point of view:
“There are two types of organizations: Those that know they’ve been hacked and those that don’t know yet that they’ve been hacked.” - Hackers laughing.
Clinic hacking is happening today. Read these stories about Clinical Hacks in 2017.
Your patient files are worth millions of dollars. Learn about the value of digital medical records in the dark web. This is an ongoing problem.
Consider also that 75% of hacking is done internally by employees and contractors. We encourage any clinic to develop a HIPAA compliance plan and to start with assigning or hiring a HIPAA Privacy Officer.