Here at Sherpa, we’re frequently contacted by organizations looking to learn more about complying with federal regulations, such as HIPAA or Sarbanes-Oxley.
HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure the protection of patient privacy. Foremost, it also provides the right for patients to access their medical records, as well as preventing (in most circumstances) healthcare providers from sharing sensitive patient information without the patient’s permission. For example, while doctors may share some information with each other in order to provide improved care, insurance companies cannot share patient medical records with the patient’s employer and additionally, patients have the right to amend any medical record that they feel contains erroneous information. Furthermore, patients can specify how they can be contacted, including even whether a doctor can leave a message on a telephone answering machine; also, patients are able to specify individuals and organizations in which to deny access to their personal information.
Under HIPAA, both physicians and insurance providers are required to ensure the security and confidentiality of all patient medical data; this applies to physical security as well as the establishment of procedures and safeguards that define who has access to medical data. The law applies not only to paper documents, but to electronically stored information as well. From a broader information governance perspective, it also means establishing an awareness of what HIPAA-regulated information exists in your environment, and where, in order to properly assess risk and potential legal vulnerability. This can entail protecting data with passwords and tracking what personnel have access to patient health files. It also means monitoring what data leaves the organization, not only in paper form, but as text within email or attached files. Data stored “in the cloud” (including cloud-based email systems, such as Microsoft 365) are subject to regulation and compliance as well.
HIPAA provides needed and (seemingly) obvious protection to the healthcare consumer; but to those individuals and organizations that provide healthcare, it necessitates an increased level of accountability in managing and protecting information.
While some industries are not as heavily regulated by laws such as HIPAA, maintaining adequate information governance is a sound business practice for any type of organization.