For many years, medical practices that are HIPAA covered entities have worked long and hard to comply with privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Privacy Rule (April 2003) spells out requirements and safeguards for protected health information and defines patient rights with respect to that information, including rules and limits on who can access that data. The Security rule (April 2004) addresses administrative, physical, and technical safeguards to assure confidentiality, integrity, and availability of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, among other things, imposes heightened penalties for HIPAA violations and requires covered entities to notify patients of certain breaches of protected health information. (Effective Feb. 2009)
HIPAA requires covered entities to put reasonable measures in place to protect patient information from internal and external security threats. This includes, but is not limited to, documentation of steps taken to implement security measures; agreements with business associates to safeguard protected information; patient notification and communication policies to ensure patients know how their protected information is used; and policies and procedures to mitigate damages in the event that security is breached.