HIPAA provides many compliance rules that health care organizations must follow. Those must follow rules are commonly referred to as "Mandatory". Mandatory rules and requirements must be implemented to avoid HIPAA compliance problems. There are however another set of rules and requirements that are not listed as Mandatory. Instead these rules and requirements are listed as "Addressable". Addressable rules have been treated by many Health Care Organizations as optional or merely suggestions by the government.
HHS however has made it clear in pursuing large fines against MD Anderson that the Addressable rules and requirements are more mandatory than optional.
HHS has ruled in the MD Anderson case that Addressable rules and requirements, specifically in the MD Anderson case the use of encryption techniques to secure electronic protected health care information, are MANDATORY unless the health care organization can demonstrate reasonable reasons why any particular Addressable rule and requirement does not need to be followed.
In the MD Anderson case a laptop and a few thumb drives were lost or stolen. As a result the unencrypted electronic protected health information was disclosed to unauthorized persons. MD Anderson contended that since encryption was an Addressable rule and requirement it was optional and therefore MD Anderson was not at fault for the unauthorized disclosures.
HHS says MD Anderson is wrong. HHS says Addressable rules and requirements such as encrypting electronic protected health information is MANDATORY, and NOT optional, unless the health care organization can demonstrate a reasonable basis for why the Addressable rule and requirement in question does not need to be followed.
HHS ruled MD Anderson had not made any showing of a reasonable basis for not following the Addressable encryption of data rule, and therefore levied substantial penalties on MD Anderson.
MD Anderson is appealing to the courts, but their legal fight seems to be an uphill battle.
Best practice for any physician or health care organization is to treat Addressable rules and requirements, such as encryption of data, as Mandatory, unless they have some very strong and reasonable reasons why any specific Addressable rule and requirement does not need to be followed.
For help with your legal needs contact a business, tax, and health care law attorney at the offices of AttorneyBritt.
Review-Like-Follow AttorneyBritt On: