by Michael Arrigo
In my experience serving as HIPAA Expert Witness on HIPAA Privacy and Security advising clients in HIPAA breach litigation cases, one of the most important and challenging mandates for providers is to enforce policies and procedures across multiple technology platforms, devices, and a geographically distributed workforce. Recent HIPAA breaches I have seen were not caused by a certified EHR, but instead caused by non-secure connected servers, mobile devices, and poorly trained people.
The HIPAA Privacy Rule provides that a covered entity must have appropriate administrative, physical, and technical safeguards to protect the privacy of protected health information. The HIPAA Security Rule provides a covered entity must ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits by complying with various administrative, physical, and technical safeguards.
HIPAA Privacy and HIPAA Security are also important components of OIG Audits of Meaningful Use of Electronic Health Record attestations, as opposed to CMS Meaningful Use audits that focus more on the entire attestation by eligible hospitals (EH) and eligible providers (EPs) or physicians.