Steps to Take to be Compliant with HIPAA Regulations
If you are an entity that handles Private Health Information (PHI), it is important that you are compliant with HIPAA regulations. HB Computers has a great deal of experience in maintaining the highest security measures available for data protection. Many businesses and organizations assign a Privacy Officer (PO) charged with understanding each HIPAA regulation. We are available to work with you and/or your PO so that you can have peace of mind when it comes to data security.
There are four rules that are especially important:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
- HIPAA Privacy Rule: The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Business Associates are directly liable for uses and disclosures of PHI that are not covered under their BAA or the HIPAA Privacy Rule itself.
- HIPAA Security Rule: The HIPAA Security Rule includes three safeguard-related parts with implementation specifications (some of which are required, and some are categorized as “addressable”). These safeguards are designed to ensure the confidentiality, integrity, and security of protected health information (PHI).
The implementation specifications that are “required” must be followed according to specifications. If they are “addressable”, they must be implemented if it is reasonable and appropriate to do so. This decision must be documented, but if you are in doubt, it’s best to implement under the assumption of “required.”
It is your responsibility to follow the Privacy and Security rules and also to provide notification if there is a breach of unsecured protected health information.
- HIPAA Enforcement Rule: The HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings.
- HIPAA Breach Notification Rule: The Breach Notification Rule requires most healthcare providers to notify patients when there is a breach of unsecured PHI. The Breach Notification Rule also requires the entities to promptly notify HHS if there is any breach of unsecured PHI, and notify the media and public if the breach affects more than 500 patients.
The three parts to the HIPAA Security Rule are as follows:
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- Technical Safeguards: This part of the security rule addresses the technology that protects PHI and how it is accessed. The security standards are “technology neutral.” That means that you are not required to use specific technologies. There are 5 standards included in this section.
- Access Control
- Audit Controls
- Transmission Security
- Access Control
- Unique User Identification (required)
- Emergency Access Procedure (required)
- Automatic Logoff (addressable)
- Encryption and Decryption (addressable)
- Audit Controls: Involves implementing hardware, software, and/or procedural mechanisms to record any activity in systems containing ePHI.
- Integrity: Involves implementing security measures in order to ensure that ePHI is not modified without authority.
- Authentication: Involves implementing procedures ensuring that a user seeking access to ePHI is the one claimed.
- Transmission Security: Encryption (addressable) to be utilized as a security measure against ePHI being modified without authority.
- Physical Safeguards: The Physical Safeguards section included four standards.
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
- Facility Access Controls
- Contingency Operations (addressable): Establish procedures to restore lost data under a disaster recovery plan in the event of an emergency.
- Facility Security Plan (addressable): Implement policies and procedures protect your facility and equipment from unauthorized physical access, tampering or theft.
- Access Control and Validation Procedures (addressable): Implement procedures to monitor and validate a person’s access to facilities based on their role or function.
- Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (e.g. hardware, walls, doors, and locks).
- Workstation Use (required): Involves Implementing policies and procedures specifying the authorized functions to be performed, how these functions are to be performed, and the physical attributes of the surroundings of workstations that can access ePHI.
- Workstation Security (required): Involves implementing physical safeguards for all workstations that access ePHI, so that unauthorized users cannot have access.
- Device and Media Controls: Disposal (required): Implement policies and procedures for disposing ePHI, and/or the hardware or electronic media where it is stored.
- Media Re-Use (required): Implement procedures to remove ePHI from electronic media before the media are made available for re-use.
- Accountability (addressable): Maintain records of any hardware and electronic media movement and the person responsible.
- Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before equipment is moved.
- Administrative Safeguards: The Administrative Safeguards govern the conduct of the workforce, and the security measures put in place to protect ePHI. The administrative components of HIPAA compliance are very important. You must assign a privacy officer, complete an annual risk assessment, provide employee training annually, review policies and procedures, and execute Business Associate Agreements (BAAs) with all partners who handle PHI.
There are nine standards within the Administrative Safeguards section.
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
- Security Management Process: Conduct and document a risk analysis to ascertain where PHI is being used and stored to determine all the ways that HIPAA could be violated.
- Risk Management (required): Implement measures to reduce these risks.
- Sanction Policy (required): Implement sanction policies for employees who fail to comply.
- Information Systems Activity Reviews (required): Review your system’s activity, logs, audit trails, etc. on a regular basis.
- Assigned Security Responsibility – Officers (required): Designate HIPAA Security and Privacy Officers.
- Workforce Security – Employee Oversight (addressable): Implement procedures relating to authorizing and supervising employees who work with PHI. This includes granting and removing access and ensuring that an employee’s access to PHI ends with employee’s termination.
- Information Access Management – Multiple Organizations (required): Ensure that PHI is not allowed access by parent or partner organizations or subcontractors or any other entity that is not authorized for access.
ePHI Access (addressable): Implement and document procedures for granting access to ePHI.
- Security Awareness and Training: Security Reminders (addressable): Send updates and reminders about security and privacy policies to employees on a regular basis.
- Protection Against Malware (addressable): Implement procedures for guarding against, detecting, and reporting malicious software.
- Login Monitoring (addressable): Implement monitoring of logins to systems and reporting of discrepancies.
- Password Management (addressable): Ensure that there are procedures in place for creating, changing, and protecting passwords.
- Security Incident Procedure: Response and Reporting (required): Identify, document, and respond to security incidents.
- Contingency Plan – Contingency Plans (required): Ensure that accessible backups of ePHI are available and that there are procedures to restore any lost data.
- Contingency Plans Updates and Analysis (addressable): Put procedures in place for periodic testing and revision of contingency plans.
- Emergency Mode (required): Establish procedures to be able to continue critical business processes to protect the security of ePHI while operating in emergency mode.
- Evaluations (required): Perform periodic evaluations to see whether changes need to be made to your HIPAA compliance procedures do to changes in your business or changes in the legal requirements of HIPAA.
- Business Associate Agreements (required): Create special contracts to be signed by business partners who will have access to your PHI in order to ensure compliancy. Choose partners that have similar agreements with their partners who may have access to your records.
This is a great deal of information to absorb. If you any questions about HIPAA compliance as it relates to ePHI, please don’t hesitate to call us. Essentially the point to remember are that you must:
Have safeguards in place to protect patient health information (PHI).
Limit use of the PHI information unless it is absolutely necessary to accomplish your intended purpose.
Have privacy agreements in place with business associates or service providers that perform functions covered by HIPAA.
Create and implement procedures to limit access to PHI and implement a training program for your employees so that they fully understand how to protect your PHI.