Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Countdown to 2013 and the HITECH “Mega Rule”: Ten New Year’s Resolutions to Protect Health Information

Posted in Privacy & Security

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

 

9.         I will read them.

 

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

 

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

 

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

 

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

 

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

 

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

 

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

 

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

 

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.