UAB and the UAB Health System (UAB/UABHS) have trained more than 22,000 faculty, staff, students, volunteers and contract and temporary employees on their HIPAA privacy and security responsibilities since September 2004.
“We have made good progress in ensuring that all members of the UAB/UABHS community who come into contact with protected health information (PHI) understand what actions they should and should not take with it in order to be in compliance with HIPAA regulations,” said UAB HIPAA Coordinator Michael Brooks, Ed.D.
“Our HIPAA privacy and information security standards are linked directly to existing UAB/UABHS policies,” Brooks said.
One important objective of HIPAA – the Health Insurance Portability and Accountability Act – is to protect the health information of patients, employees and students from access without formal consent or authorization.
“It’s important that UAB/UABHS faculty and staff employees, students, trainees and volunteers be aware that if we incur HIPAA violations, we are personally subject to civil monetary penalties that may include a maximum of $100 for each violation and a total penalty not to exceed $25,000 per calendar year,” Brooks noted. UAB is also subject to institutional penalties.
Brooks explained that HIPAA also requires ongoing risk assessments related to the institution’s information security compliance practices. HIPAA Security Officer Terrell Herzig is involved with Information Technology (IT) staff, entity privacy and security coordinators and administrators in more than 50 UAB/UABHS units. These individuals are engaged in a variety of activities designed to identify and address information security risks associated with PHI and other sensitive information.
“The results of our initial risk assessments have shown us ways that employees and others can help strengthen UAB’s compliance efforts to secure PHI,” said Brooks.
Some of those ways are to:
• Follow UAB/UABHS policies and standards for transmission and storage of sensitive information such as PHI.
• Use strong passwords and encryption when using laptop computers and other portable devices.
• Back up electronic data in accordance with IT best practices.
• Ensure that computer antivirus software is up to date.
• Make sure that PHI and other sensitive information is not left unsecured at workstations, either on computers or as printed documents.
• Not install unauthorized computer hardware, software and wireless communication technologies.
• Follow institutional policies and HIPAA standards for disposing old computers, hard drives and data storage media.
The next HIPAA reporting deadline is May 23, 2007. At that time, UAB/UABHS will be required to have a unique national provider identifier (NPI) number for each physician, dentist, optometrist and other health care provider who bills electronically for clinical and professional services. Currently, out of 961 NPIs requested from UAB Health Services Foundation providers, 938 have been received.
To learn more about HIPAA, visit the UAB HIPAA Web site