Page 14 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 14
SVMIC Navigating Electronic Media in a Healthcare Setting
Whereas the HIPAA Privacy Rule deals with PHI in general, the
HIPAA Security Rule deals with electronic protected health
information (ePHI), which is essentially a subset of what the HIPAA
Privacy Rule encompasses. The Security Rule only focuses on ePHI
and requires that a Security Risk Analysis (SRA) be performed and
administrative, physical and technical safeguards be established.
The SRA helps the organization ensure it is compliant and reveals
areas where the organization’s PHI could be at risk. An SRA tool to
assist an organization in the preparation of a risk assessment is
available at www.HealthIT.gov.
The Department of Health and Human Services (HHS) oversees
compliance of the HIPAA Rules and the Office of Civil Rights (OCR)
investigates potential violations. Significantly, anyone, including
patients or staff, who believes there has been a violation of the
HIPAA laws can file a complaint with the OCR and can do so without
the assistance of an attorney. Let’s review a case example:
CASE STUDY
A 27-year-old female patient of a surgical group was scheduled
for a laparoscopic cholecystectomy. Prior to the surgery, the
patient looked up the group on the internet, and discovered that
their surgical calendar was online and accessible to the general
public. The group was using the free Google calendar services.
Listed on the calendar was her surgical procedure and several
pieces of her and other individuals’ protected health information.
The patient notified the group of the breach, which happened to
have spanned multiple years and affected over 500 patients. The
case was investigated by the HHS Office for Civil Rights for
potential violations of the HIPAA.
Page | 14
