The new rules do the following:
- Clarify when breaches must be reported to HHS’ Office for Civil Rights;
- Establish new standards for the use of patient-identifiable information for fundraising and marketing;
- Expand liability to “business associates” of hospitals and other “HIPAA-covered entities,” such as data miners and health IT service providers; and
- Raise the maximum penalty for noncompliance to $1.5 million per violation.
Under the old system, breaches were only reportable if there was a “significant risk of harm” to the patients from the privacy breach. Under the newly updated HIPAA rules, to avoid the onerous reporting requirements, data handlers will need to show that there is a low probability that the info was actually compromised.
- Keep all healthcare patient data encrypted (easy to do these days); and/or
- Install kill-switch software on data carrying devices so, if lost or stolen, the device can be remotely killed; and/or
- Install GPS locator software functionality on data carrying devices… for the obvious reasons; and/or
- Do not keep patient info in public places (less relevant to my tech company clients, but still common sense); and/or
- Be sure to use employ a hierarchy of user permissions so that only employees (e.g., programmers) who must absolutely have access to patient data get that access… your sales team, non-essential interns, marketing team, etc… should not have access.
The above points are more or less no-brainers. The main thing to keep in mind is that, under the new rules, if your technology in any way touches the protected health information (as defined in the rule), then the above precautions should be taken.
Enter your email to get started.