What is HIPAA
The HIPAA (Health Insurance Portability and Accountability Act) was enacted by the U.S. Congress in 1996 to create national standards and procedures to govern healthcare data security. The HIPAA privacy and security rule was put in place in 2003 to protect the privacy rights of employees and the general public. The rules simply provide an array of rights to control the access to Patient Health Information (PHI). The rule was originally enacted to protect healthcare providers and their patients. The current HIPAA privacy rule has recently been expanded to include Business Associates (BA), which may include Ergonomic practitioners. “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well being. The rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing” {Summary of the HIPAA privacy rule- US Dept Health human services 2003}
Recent Revisions put into effect by the HITECH ACT
The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into United States law in 2009 and this stimulus bill significantly expands HIPAA’s privacy and security regulations. The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009 and came in full effect February 17, 2010, to promote the adoption and meaningful use of health information technology. The Act provides additional regulations and obligations. Specifically, changes are focused on Business Associate responsibilities, civil penalty amounts and breach notification. HIPAA Violations now face a minimum of $100 to maximum of $50,000 per incident up with a maximum penalty of $1.5 million.
“This strengthened penalty scheme will encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” Verdugo Georgina the director of Health and Human Services (HHS) Office for Civil Rights (OCR). ( HHS Strengthens HIPAA Enforcement 2009)
New breach regulations require health care providers and ergonomic business associates to promptly notify their clients if the security of their health information has been compromised. “This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information,” said Robinsue Frohboese, Acting Director and Principal Deputy Director of OCR. (HITECH Breach Notification Interim Final Rule 2009)
Proposed Changes to OSHA
The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has proposed a rule to change their long standing 300 Form, which logs a companies work related injuries and illnesses. The logs help companies quantize their injuries by reporting them to the Department of Labor. The change includes adding an additional column to track musculoskeletal disorders or (MSDs). Musculoskeletal disorders are problems that can affect the body’s muscles, joints, tendons, ligaments and nerves. These types of disorders can account for up to 30% of all work related injuries and cost enterprises millions a year in lost productivity. Tracking MSDs will help employers and employees identify and prevent MSD with increased accuracy.
Enterprise compliance changes
An Enterprise HIPAA-HITECH compliance plan should include administrative, physical, technical and training program standards to insure employee data privacy. “…HITECH is the largest and most consequential expansion and change to the federal privacy and security rules ever. Roughly fifteen change areas comprise new federal privacy and security provisions that will have major financial, operational and legal consequences for all hospitals, medical practices, health plans, and now their Business Associates and some vendors and service providers that were not previously considered Business Associates.” {The truth about HIPAA, The HITECH Act and Data backup 2010}
Ergonomic professionals are now obligated to protect their clients PHI
Business Associates who perform activities involving the disclosure of individuals’ health care information are now responsible for their clients PHI privacy. Under the previous HIPAA legislation, professionals were rarely called upon to provide procedures to ensure PHI data security. With the HITECH act in place Human Resources and Ergonomic professionals are obligated to produce adequate documentation to prove that they have an effective procedure to safeguard their clients PHI. The Department of Health and Humans Services can now audit your health data security and to comply you must have an effective privacy policy and procedure in place. These current stricter regulations are a sign that more privacy and confidentiality legislation will be enacted in the coming years.
HIPAA violations can be devastating to your bottom line
CVS Caremark (the largest pharmacy chain in the united states) recently agreed to pay $2.25 million dollars as a result of charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees. CVS received the violation because of improper handling of employee and customers’ personal information. The HIPAA violation additionally requires CVS pharmacies to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years.
How can Ergolution Help your enterprise comply with current HIPAA-HITECH regulations?
Ergolution can assist your enterprise’s compliance with the current HIPAA Security Rule, HITECH Act security and privacy provisions. Ergolution provides a secure foundation to support effective privacy policies and procedures. Keeping your employees confidential health information safe is integral to an effective ergonomics program and the principal fundamental of Ergolution. Ergolution provides enterprise’s simple, effective tools to ensure that employee data is kept safe. Ergolution’s platform is built on a secure web-based system, which means a lost laptop or smartphone may not jeopardize private employee data. Access to Ergolution is permission controlled and customizable. All communications regarding employee information can be conducted inside the software, any emails sent out of system to third parties are encoded with an internal link so private information is not exchanged. Secure permissions and tiered entry allow only authorized personnel to view the data needed for their task. Ergolution can provide reports based on specific injury data and risk factors allowing an enterprise to comply with the upcoming stricter OSHA laws. Ergolution contains the Administration safeguards, physical, technical and organizational procedures to keep your enterprise compliant to current standards and prepared for the future. It’s good for employees AND the bottom line!