HHS HIPAA Compliance
Overview
HIPAA compliance is, of course, a must for healthcare providers. HIPAA guidelines protect patients’ health information, guaranteeing it is stored securely, accessed only by those with need, and applied correctly. Data that can reveal a patient’s identity, called Patient Heath Information (PHI), must be kept confidential. HIPAA compliance is adherence to the physical, administrative, and technical safeguards outlined in HIPAA, which covered entities and business associates must uphold to protect the integrity of Patient Health Information (PHI).
The Five Main Directives of HIPAA
- HIPAA Title I focuses on the new insurance reform that was introduced in HIPAA, specifying rules about the access, portability, and renewability of health insurance. Making it possible to maintain coverage when your employment changes and making it unlawful for group insurance plans to turn down health coverage.
- HIPAA Title II concentrates on the required steps of the Privacy Rule, Security Rule, and the Enforcement Rule. It also defines national standards on how electronic healthcare transactions are processed by the U.S. Dept of Health and Human Services (HHS)
- HIPAA Title III introduces new tax rules related to healthcare treatment including the provisioning of certain deductions for medical insurance.
- HIPAA Title IV provides details on the reform of insurance law, with protections for those who have pre-existing conditions and individuals who want to maintain their insurance.
- HIPAA Title V gives guidelines for life insurance policies that are owned by businesses and how to handle income tax specifics when someone has their US citizenship revoked.
HIPAA and Information Technology/Cloud
Not surprisingly, a HIPAA compliant IT service provider will be most concerned with HIPAA Title II. Title II establishes and describes these five elements;
- National Provider Identifier Standard – 10-digit NPI (national provider identifier) numbers must be assigned to all healthcare entities.
- Transactions and Code Set Privacy Standard – this objectively approved protocol must be used in electronic data interchange (EDI).
- HIPAA Privacy Rule – Ensuring that Patient Health Information (PHI) is protected. The Privacy Rule is actually short-hand for the “Standards for Privacy of Individually Identifiable Health Information.”
- HIPAA Security Rule – This rule delineates expectations for the safeguarding of patient data. The Security Rule is short-hand for the “Security Standards for the Protection of Electronic Protected Health Information.”
- HIPAA Enforcement Rule – This subsection of the law provides parameters with which companies should be investigated for potential or alleged violations.
The HIPAA Privacy Rule, and HIPAA Security Rule will be reviewed next. The Security Rule includes three safeguards components;
- Technical safeguards
- Physical safeguards
- Administrative safeguards
HIPAA Privacy Rule
HIPAA’s Privacy Rule is in place to ensure that Patient Health Information (PHI) is protected. The Privacy Rule is actually called “Standards for Privacy of Individually Identifiable Health Information.”
- Prompt response – HIPAA legislation allows for a maximum of just 30 days to get back with responses to patient access requests. (Required)
- Notice of privacy practices – An NPP is required to officially inform patients and subscribers of data sharing policies. (Required)
- Privacy training – Medical personnel must be trained to recognize what data can and cannot be shared internally and externally. (Required)
- Ensure data is valid – “Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients,” instructs HIPAA Journal. (Required)
- Get authorization – Obtain permission from any and all patients to use redacted ePHI for research, fundraising, or marketing. (Required)
- Update documentation – All authorization forms should now include a reference to changes in the treatment of school immunizations, ePHI restriction in disclosure to health plans, and the right of patients to access their electronic records. (Required)
HIPAA Security Rule
The HIPAA Security Rule defines the requirements for the protection of electronic patient health information. The Security Rule refers to “Security Standards for the Protection of Electronic Protected Health Information.” These are ‘safeguards’, and there are three of them;
- Technical
- Physical
- Administrative
Technical safeguards;
- Network encryption – All ePHI must be encrypted so as to meet NIST cryptographic standards any time it is transmitted over an external network. (Required)
- Control access – Each user is assigned a centrally-controlled unique username and PIN code/password to access the systems. Procedures must also be in place to govern when to release or disclose ePHI if during an emergency. (Required)
- Authenticate ePHI – You must identify and authenticate ePHI and protect it from corruption, unauthorized changes, and accidental destruction. (Recommended)
- Encrypt devices – All end-point devices that access the system should be able to encrypt and decrypt data. Critical for mobile and laptop devices. (Recommended)
- Control activity audits – Detailed logging is needed to track all ePHI access attempts and to monitor how ePHI data is manipulated. (Recommended)
- Enable automatic logoff – Users must be auto logged out after a certain set time-frame, usually between 30 seconds and 3 minutes, based on the application or system. (Recommended)
Physical safeguards;
- Control facility access – Must carefully track the specific individuals who have physical access to data storage. This does apply to just health care workers or engineers, but also repair people and even custodians. A plan of action to block unauthorized entry must be developed. (Required)
- Manage workstations – A policy must be drafted that limits which computer workstations (and other devices) have access to health data, describes how a screen should be guarded from being viewed at a distance, and specifies appropriate workstation use. (Required)
- Remove mobile device ePHI– Define a mobile device policy that deletes ePHI before a device is transferred to another user. (Required)
- Track computer servers – Create an inventory of your server and device infrastructure, including current physical location. Before moving a server or device, data should be copied. (Recommended)
Administrative safeguards;
- Risk assessment – Identify, analyze and define risk elements and probabilistic outcomes. Complete a comprehensive risk assessment for all health data. Create and put into place action plans to resolve outcomes in line with the defined risk assessments. (Required)
- Systematic ongoing risk management – Risk assessment is an ongoing process that must be reviewed at regular intervals with recalibrated measures put in place to reduce the risks to an appropriate level. A sanctions policy must be introduced for employees who fail to comply with HIPAA regulations. (Required)
- Train staff – Employees need to be trained on all ePHI access protocols andon how to recognize potential cybersecurity risks such as phishing, hacking, and deception. A record of these sessions must be kept. (Recommended)
- Build contingencies – Implement ongoing business continuity, responding to potential disasters with a preparation process that keeps data safe. (Required)
- Test contingencies – Test contingency plan(s) on a regular basis, with relation to all key software. A backup system and restoration policy should be adopted. (Recommended)
- Block unauthorized access – Be certain that parties that haven’t been granted access, such as subcontractors or parent companies, cannot view ePHI. Sign business associate agreements with all partners. (Required)
- Document all security incidents – Note that this step is separate from the Breach Notification Rule, which has to do with actual successful hacks. A security incident can be stopped internally before data is breached. Staff should recognize and report these occurrences. (Recommended)
Major Changes to HIPAA Since Passage in 1996
There have been four major amendments since 1996:
- The Security Rule Amendment of 2003
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- The Privacy Rule Amendment of 2003
- The Breach Notification Rule of 2009
- The Final Omnibus Rule of 2013
We will focus on the Breach Notification Rule of 2009 next.
HIPAA Breach Notification Rule
HIPAA’s Breach Notification rule sets out requirements for notification contact and timing, in the event of a protected health data breach.
- Notification process; If a breach of ePHI occurs, both patients and the HHS Department must be alerted. If more than 500 patient records are involved, notification of local media is required. If less than 500 patients, execution/submission of a small-scale hack form through the OCR website if required. Smaller breach reports can be delayed, because OCR directives require that small scale breach reports only be made annually.(within sixty days of the close of the calendar year). Large scale breaches, trigger an immediate notifications including immediate contact of the HHS Secretary by the resident HIPAA CE. (Required)
- Four breach notification components; Each breach notification message contains four components;
-
- A description of the ePHI and personal identifiers involved in the breach
- Name of the party which gained unauthorized access to PHI or related information
- Distinction of whether ePHI details were visually seen vs removed – viewing vs. acquisition (if known)
- The degree to which risk mitigation has succeeded. (Required)
Consequences of Violating HIPAA Regulations
There are four levels of violations described by the HIPAA Enforcement Rule, with the fine range is in parenthesis;
- “Unaware based on reasonable measure” – The entity was unaware and would have remained unaware based on reasonable measures. ($100 to $50,000)
- “Reasonable cause” – in which the violation was caused by an element that would prompt action in an ordinary person. ($1000 to $50,000)
- “Willful neglect” – in which the violation was caused by intentional avoidance but rectified within 30 days. ( $10,000 to $50,000)
- “Willfull neglect not mitigated” – Willful neglect but not mitigated within 30 days. ($50,000)
What Does HITECH Have to Do With HIPAA Healthcare?
HITECH is the acronym associated with the Health Information Technology for Economic and Clinical Health Act of 2009. The legislation, signed into law by President Obama on February 17, was intended to accelerate the transition to electronic health records (EHR). It was actually included within the American Recovery and Reinvestment Act of 2009 (ARRA), which was geared toward stimulating the economy during the Great Recession.
The Office of the National Coordinator for Health Information Technology (ONC), part of the HHS Department since 2004, is responsible for the administration and creation of standards related to HITECH. Of course, HIPAA hosting providers deploying electronic health records must satisfy the EHR requirements defined by ONC, while simultaneously complying with the HIPAA Privacy and Security Rules. Effectively, HITECH is an addendum to HIPAA.
We WILL deliver the solution that you need !
As a first step, we will be delighted to answer any and all of your questions !