David Szabo: Due Diligence Needed to Protect Patient Information

Legal issues continue to loom ever larger in the world of medicine. The establishment of accountable care organizations is presenting new challenges for physicians, and now, the implementation of the federal HITECH (Health Information Technology for Economic and Clinical Health) Act – the law enacted last year to promote the adoption and meaningful use of health information technology – should and must prompt them to give more due diligence to the privacy and security of patient information. 

That was the clear message from David S. Szabo, a health care attorney with Edwards Angell Palmer & Dodge, one of the featured speakers at the MMS’s January 14 CME session on Health Reform and Health IT.

Mr. Szabo took attendees through what amounted to a “legal lightening round” of issues to consider for users of electronic medical records, touching on privacy and security, obligations to notify when a data breach occurs, and best practices and risk management.

“The HITECH Act substantially increased the civil penalties to violations of the HIPAA privacy and security regulations,” said Mr. Szabo. Fines from $100 to $50,000 can now be levied on violators, depending on level of neglect and speed of correction.  

Some key elements of his presentation included the distinction between privacy and security, user requirements for electronic health information, the categories of safeguarding information, and the three steps of security requirements.

Mr. Szabo was quick to point out that state laws as well as federal laws apply to the safeguarding of information, and that violations of state law can result in civil penalties, damages, or licensure sanctions. Massachusetts, for example, is one of only two states to have an information security rule protecting “personal information.” Those who hold information about state residents must adopt a written information security policy and follow reasonable security practices to protect that information.

Among his suggestions for best practices: setting clear policies and procedures, intensive training, and privacy, security and data breach insurance. Additional details of his presentation are available here.

Comments are closed.