The rules and regulations concerning HIPAA compliant policies and procedures is lengthy and written in a highly elevated legal language. It looks into such great detail that it becomes difficult to distill the important facts pertinent to a particular industry. The possible issues faced by a psychiatrist talking with a patient are vastly different from those encountered by a transportation operation. In the NEMT industry, brokers and providers face unique issues that affect every operation differently. There are also possible variations on the interpretation of HIPAA rules. For example, are you responsible for ensuring you change access passwords every 6 months? Is this HIPAA compliant behavior (and mandatory), or it just careful behavior? Is your broker making it a condition of your compliance behavior, regardless?
Even though NEMT providers (especially) may have operated in a certain way ten years ago, HIPAA regulations (updated in 2013) may change the way that many providers operate. Since providers may now be considered health care providers, they may discover that they are open to audits from their broker, now a managed health care organization. The rules for handling electronic (and paper) health records are more stringent and a provider needs to be aware of what is expected of them. The growing need for secure data storage, secure access to data, data backups and preventing security breaches has proven why NEMT software is a powerful tool in the fight against cyber-vulnerability.
Although there is no history of litigation in which HIPAA compliance was used as a standard of care, the future may prove to be a little more litigious. Perhaps due to the many publically visible data breaches in the past few years (Home Depot and Sony to name two), privacy issues are being taken more and more seriously by the courts. As this Connecticut Supreme Court decision shows, HIPAA may be used to establish the standard of care in negligence cases. To be found non-compliant in the face of a privacy breach can amount to negligence under state statutory and common law. This means that HIPAA violations may become actionable in private court cases. Now providers need to worry about more than just a penalty or a fine from the government. Providers now also need to ensure they are adequately protected by business and cyberliability insurance to mitigate damage from civil suits.
While NEMT software encourages the establishment of a secure data network, it in-and-of itself is not responsible for the addressing the total list of HIPAA compliant regulations. NEMT software is able to provide tools to enable technical safeguards, but you are still required to implement specific policies and procedures (such as regular audits) in order to establish HIPAA compliance.
NEMT software also offers a level of protection by allowing providers to set specific security boundaries, among which are requirements under HIPAA. For example, the regulations concerning technical safeguards state that information systems be allowed “access only to those persons of software programs that have been granted access rights.” [source, p. 42 (or p.60 in the PDF)]
Many of the technical safeguards are made more resilient due to the very nature of NEMT software and its ability to produce accurate reports and create customizable levels of access and security. However, this is an enormous subject with many variations and issues that are unique to NEMT providers and brokers alike. This short blog post is only a small scratch at the surface of this vast and unwieldy subject. Talk to a NEMT software specialist today to learn more about how to balance efficiency with privacy concerns.