HIPAA serves to protect the rights of individuals health information participating in certain health coverage plans and governs the use and disclosure
of such records. Academic institutions associated with health care providers must provide written notice of their associated health care provider’s information practices. Organizations that fall under HIPAA must “(i) adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed; (ii) require their business associates to protect the privacy of health information; (iii) train their employees in their privacy policies and procedures; (iv) take steps to protect against unauthorized disclosure of personal health records; and (v) designate an individual to be responsible for ensuring the procedures are followed.” (Cassat) HIPAA already implies serious penalties for organizations that fail to comply. Recent changes to HIPAA were enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH) resulting in an increase in civil penalties of up to $1.5 million per year in fines for organizations failing to comply. Furthermore, intentional disclosure of physical health information can now be criminally prosecuted under HITECH; affected patients/users of security breaches or lost records must be notified; if a record loss affects more than 500 individuals, the Secretary of the Department of Health and Human Services must be notified. (Mortman) The aforementioned changes will go into effect in February of 2010. It is apparent that the United
States government is taking the security and privacy of medical records far more seriously than it has in the past. Organizations that fall under HIPAA are urged to review their security and privacy policies and practices and evaluate their organizations compliance.