Rules of Engagement: Avoiding Healthcare Security Pitfalls

America is witnessing a growing number of patients turning to alternative forms of health. With this heightened awareness of integrative or complementary health, legislation such as the non-discrimination clause in the Affordable Care Act was a significant step toward getting other care professionals to acknowledge the far reaching benefits of holistic healing.  Mandating that health insurers open coverage to any care provider acting within the scope of their license or certification, the government is slowly making strides to include integrative medicine in the mainstream guidelines of America’s healthcare system.

DocatHome1While these types of improvements are to be championed, they also bring about the need to reposition integrative doctors to adhere to the restrictions that accompany this inclusion. Many of these restrictions apply to the means by which physicians communicate health information.

As the healthcare industry continues to evolve and new avenues of communication emerge, many integrative medicine providers have turned to the digital devices and services readily available at their fingertips.

Whether it be through fax, email or text messaging, getting information to other doctors and patients is never a hard thing to do.  What should be taken into account, however, is how the means of communication could impact your practice, should your services be covered by insurance.  An extension of the Health Insurance Portability and Accountability Act (HIPAA) passed by congress in 1996, the Privacy Rule of 2000 established guidelines for doctors who not only accept insurance, but also take part in the electronic transfer of protected health information (PHI). The rule stated that those who electronically communicate with physicians or patients must do so in a manner that protects the confidentiality of records through the use of “reasonable safeguards”.

With the development of electronic medical records (EMR) and general advances in technology, providers began seeing even more means of communication offered to them.  These new developments eventually became the foundation of the HIPAA Security Rule of 2009.  Giving more clarity on the expected level of confidentiality, the Rule stated that practices were to specifically implement “administrative, physical and technical safeguards to ensure confidentiality, integrity and availability of all PHI that it creates, receives, maintains or transmits.”

The three forms of PHI safeguards include:

Physical Safeguards
Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. HIPAA Security Series

Administrative Safeguards
The covered entity must identify and analyze potential risks to PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.  The covered entity must also designate a security official who is responsible for developing and implementing its security policies and procedures. U.S. Department of Health and Human Services

Technical Safeguards
A covered entity is to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those people or software programs that have been granted access rights under Information Access Management.  Technical safeguards can include Automatic log-off and encryption and decryption for technical devices as well as unique user identification and emergency access procedures. Key Health Alliance

As the field of integrative medicine continues to become more accepted in an established healthcare system, providers should work to prepare for the transition.  Take the time ensure the eventual change in processes and procedures is a smooth one.  Learn more about HIPAA guidlines here.