Privacy Rules for Medical Practices
Dateline: March, 2008
As we enter the 21st century, identity theft has reached epidemic proportions. This danger, and the need to protect the critical information of individuals who entrusted their information to health care providers, has lead to wide ranging regulation by both state and federal agencies. As a result, New Jersey health care providers in particular are now faced with potentially significant civil liability for their failure to comply with the HIPAA privacy rules, as well as the security rules relevant to the protection of what has been defined as Electronic Protected Health Information (“EPHI”). Unfortunately, even greater potential civil liability exist for New Jersey health care providers for failing to adequately protect EPHI, because of the additional statutory requirements and minimum security standards established pursuant to the New Jersey Identity Theft Protection Act (“NJITPA”).
Historically, medical providers should by now have a strong understanding of the federal requirements and security measures they must have in place to protect their patient files located on their office computers; however that is no longer adequate. Providers must now assess and put in place procedures and safeguards to protect information involving the use of portable media devices and usage of remote software application. These devices include but are not limited to, laptops, home-based personal computers; PDAs; Smart Phones, hotel, library or other public work stations and Wireless Access Points; USB Flash Drives; Memory Cards, CDs; DVDs; backup media; Emails; Smart cards and Remote Access Devices to name a few.
It is of course best to avoid any use of these portable media devices outside of the workplace, but in today’s world that is often times unrealistic. Therefore the next best policy is to minimize offsite use and access as much as possible, and ensure that only limited numbers of essential personnel have access to EPHI. The question remains for medical service providers, what is the proper amount of safeguards necessary to protect EPHI and avoid potential significant civil liability, if in fact EPHI is stolen?
A New Jersey small medical (office) provider’s best defense against liability claims is compliance with both HIPAA security rule 7 (45 CFR Part 160 and Part 164, Subparts A and C) and the New Jersey Identity Theft Protection Act (N.J.S.A. 56:11-44 et. seq.). Both the state and federal government have established the minimum standards of actions and information security that would be deemed reasonable for protection of EPHI. As such, if a small medical provider complies with these minimum standards, it is highly probable that a court or administrative regulatory agency would find the actions taken to be reasonable
This Article is a service of the Business Law Department and Litigation Department of Fein, Such, Kahn & Shepard, P.C., 7 Century Drive, Suite 201, Parsippany, NJ 07960. Phone: 973-538-4700. Website: www.feinsuch.com. It does not constitute legal advice nor create an attorney-client relationship. For more information contact Michael S. Reuter, Esq. at mreuter@feinsuch.com or 973-538-4700 x242.
© 2008, Fein, Such, Kahn & Shepard, P.C., all rights reserved. Permission is granted to reproduce and redistribute this article so long as (i) the entire article, including all headings and the copyright notice are included in the reproduction, and (ii) no fee or other charge is imposed.