The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
Covered Entity: A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI. There are exceptions. Most health care providers employed by a hospital are not covered entities. The hospital is the covered entity and responsible for implementing and enforcing HIPAA complaint policies.
Business Associate: Business associate is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity.
The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI–whether at rest or in transit–must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
T1: Implement a means of access control: This not only means assigning a centrally controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
T2: Introduce a mechanism to authenticate ePHI: This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
T3: Implement tools for encryption and decryption:
This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server and decrypt those messages when they are received.
T4: Introduce activity logs and audit controls: The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
T5: Facilitate automatic log-off of PCs and devices:
This function logs authorized personnel off the device they are using to access or communicate ePHI after a pre-defined period. This prevents unauthorized access of ePHI should the device be left unattended.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
P1: Facility access controls must be implemented: Controls who has physical access to the location where ePHI is stored and includes software engineers, cleaners, etc. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
P2: Policies for the use/positioning of workstations: Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
P3: Policies and procedures for mobile devices: If users can access ePHI from their mobile devices, policies must be devised and implemented to govern how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, etc.
P4: Inventory of hardware: An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce. The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.
A1: Conducting risk assessments: Among the Security Officer´s main tasks are the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all the ways in which breaches of ePHI could occur.
A2: Introducing a risk management policy: The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
A3: Training employees to be secure: Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
A5: Developing a contingency plan: In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
A6: Testing of contingency plan: The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
A7: Restricting third-party access: It is vital to ensure ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
A8: Reporting security incidents: The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach.
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared. For More Information Please Visit: https://www.hipaajournal.com/hipaa-compliance-checklist/
