HIPAA was first introduced in 1996. In its oldest form, the law helped ensure that workers continued to have health insurance coverage when they were between jobs. The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules to be written. Occasionally, the Office of Civil Rights conducts HIPAA compliance audits. Recently, for example, OCR audited 166 healthcare providers and 41 business partners. The purpose of audits is to verify HIPAA compliance. The HIPAA Breach Notification Rule sets the national standard to be followed when a data breach has compromised the patient`s record. The rule also deals with two other types of violations. The other violations are minor and significant violations.
In addition to civil penalties, individuals and organizations can be held criminally liable if they knowingly obtain or disclose PHI knowingly, under false pretenses, or with the intent to use it for commercial or malicious purposes. HIPAA offenses fall under the jurisdiction of the U.S. Department of Justice and can result in up to 10 years in prison in addition to fines. 3.1 Access Control: Each component of the Program ensures that security controls are in place to protect the integrity and confidentiality of ePHI on computer systems, including applications, databases, workstations, servers and network devices, using the procedures associated with the University`s Information Security Policy. [Address to HIPAA Section 164.312(a)(1).] HIPAA training is therefore an essential part of compliance. Appropriate training ensures that all staff are up to date on what is needed to maintain the confidentiality and security of patient information. Scope: This policy sets out Georgetown University`s compliance framework for the HIPAA security rule. This policy is limited to the final HIPAA security rule. Other aspects of the law, including rules on data protection and research on human persons, are covered by other academic policies. Guidelines for research involving human subjects can be found on the university`s IRB website and on the university`s policies, procedures and manuals website for privacy and computer security policies and guidelines.
B paper faxes, person-to-person telephone calls, videoconferences and voice messages are not covered by the rule. All employees must have “reasonable” access to ePHI. This means that unauthorized persons do not have access to the information. Three “addressable” specifications apply to workforce safety. First, covered entities should establish procedures for the approval or supervision of staff members at sites where they can access ePHI. You must also implement procedures to determine whether access assigned to a particular member of the workforce is appropriate. In addition, the companies concerned must put in place procedures to terminate access to ePHI if the staff member leaves the employment relationship or no longer needs to access it. Members of the Academic community are required to comply with Georgetown University`s Acceptable Use of Computer Systems Policy, Guidelines for Systems and Network Administrators, the University`s Information Security Policy, and other applicable policies to ensure the security and integrity of information systems and ePHI. 1.2 Risk management: all components covered will take measures to reduce IT risks and vulnerabilities, including the identification and documentation of potential risks and vulnerabilities that could affect ePHI management systems; Conduct annual technical security assessments of the systems that manage ePHI to identify and remediate identified vulnerabilities. [Address to HIPAA Section 164.308(a)(1).] The security rule includes three addressable specifications for implementing security awareness and training.