The Healthcare Insurance Portability and Accountability Act (HIPAA) establishes requirements for the security of electronic Protected Health Information (e-PHI). It sounds straightforward yet with changing technology, compliance has become a moving target.
Proof of compliance requires two basic elements:
1. Risk Analysis
2. Documented and Implemented Policies and Procedures
The MacSmith can assist your health care practice by performing a risk analysis audit, implementing necessary security measures, and providing ongoing scheduled updates to ensure that your technology is in compliance. We also provide documentation of your systems that can establish proof of compliance with HIPAA regulations.
Potential HIPAA violations my be uncovered by a standard review of your organization or may be the result of an investigation following a complaint made to the Dept. of Health and Human Services about your organization’s practices.
Fines are imposed in four violation categories, and reflect the severity of a data breach, including factors such as the number of ePHI records affected, the kinds of records affected, and the negligence of the organization. The following penalties may be assessed:
|1||$100 - $50,000 per incident up to $1.5 Million||The covered entity did not know and, by exercising reasonable diligence, would not have known that the violation occurred.|
|2||$1,000 - $50,000 per incident up to $1.5 Million||The violation was due to reasonable cause and not willful neglect.|
|3||$10,000 - $50,000 per incident up to $1.5 Million||The violation was due to willful neglect and was timely corrected.|
|4||$50,000 per incident up to $1.5 Million||The violation was due to willful neglect and was not timely corrected.|
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers a number of topics but specifically includes requirements for protecting the privacy and security of personal health information. Since this information is increasingly electronic, the regulations are designed to be flexible to conform to changing technology. Health care providers that collect and retain patient information must be able to prove compliance.
HIPAA has a Privacy Rule and a Security Rule. The Privacy Rule defines what data is private (for example, names, social security numbers, phone numbers, etc.). The Security Rule defines how the data is kept private, increasingly in electronic settings (for example, passwords, firewall requirements, encryption standards, etc.).
The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (electronic Protected Health Information).
Specifically, covered entities must:
1. Ensure the confidentiality, integrity, and availability (by an authorized person) of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce.
There are 18 identifiers that must be protected: 1) Names or part of names, 2) Geographical identifiers, 3) Dates directly related to an individual, 4) Phone numbers, 5) Fax numbers, 6) Email addresses, 7) Social Security numbers, 8) Medical record numbers, 9) Health insurance beneficiary numbers, 10) Account numbers, 11) Certificate or license numbers, 12) Vehicle license plate numbers, 13) Device identifiers and serial numbers, 14) Web URLs, 15) IP addresses, 16) Fingerprints, retinal and voice prints, 17) Full face or any comparable photographic images, 18) Any other unique identifying characteristic
A Risk Analysis is required under the HIPAA Security Rule. After the initial analysis, ongoing risk evaluations should be carried out on a regular basis as technology and health office setups change. A Risk Analysis involves the following:
1) Evaluate the likelihood and impact of potential risks to e-PHI.
2) Determine and implement appropriate security measures to address the identified risks.
3) Document the chosen security measures and indicate the rationale for adopting those measures.
4) Maintain continuous, reasonable, and appropriate security protections.
1. A Security Management Process - Potential risks to e-PHI must be identified and analyzed, and you must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
2. Security Personnel - You must designate a security official who is responsible for developing and implementing your security policies and procedures.
3. Information Access Management - Use and disclosure of personal health information must be limited to the "minimum necessary" according to the HIPAA Privacy Rule. The Security Rule requires that you implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
4. Workforce Training and Management - You must provide for appropriate authorization and supervision of workforce members who work with e-PHI. You must train all workforce members regarding your security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate policies and procedures.
5. Evaluation - You must perform a periodic assessment of how well your security policies and procedures meet the requirements of the HIPAA Security Rule.
1. Facility Access and Control - You must limit physical access to your facilities while ensuring that authorized access is allowed.
2. Workstation and Device Security - You must implement policies and procedures to specify proper use of and access to workstations and electronic media. You also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
1. Access Control - You must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
2. Audit Controls - You must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
3. Integrity Controls - You must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
4. Transmission Security - You must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
If you have authorized a third party or business associate (for example, a billing firm or an accountant) to access any e-PHI, then you are responsible for ensuring their compliance with HIPAA rules. Many healthcare practices establish an agreement or contract with business associates which documents security requirements and expectations. If you know of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, you must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
Yes. You must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. You must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
You must also periodically review and update your documentation in response to changes in technology or organizational changes that affect the security of electronic protected health information (e-PHI).
The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews.
If you are found to be noncompliant, fines may be imposed. See the chart on this page for an overview of fines assessed.