HIPAA rules require four things:
- Protect patient health information.
- Limit use and sharing of PHI to the minimum necessary to accomplish your intended purpose.
- Create agreements with service providers to ensure they use and disclose patient health information properly and safeguard it appropriately.
- Limit access to patient health information, and train employees how to protect your PHI.
Where does one start? The research starts with determining who you are. Typically, if you are a healthcare organization, you are a covered entity. If you are an organization who has access to your customer’s PHI, you are a business associate.
Both have responsibilities for the following:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical and other personal health information. The Rule requires safeguards to protect the privacy of personal health information, and sets limits on the uses and disclosures. The Rule gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records.
Business Associates are directly liable for uses and disclosures of PHI and requires them to do the following:
- Do not allow any impermissible uses or disclosures of PHI.
- Provide breach notification to the Covered Entity.
- Provide individual or Covered Entity access to PHI.
- Disclose PHI to the Secretary of HHS, if required.
- Provide an accounting of disclosures.
- Comply with the HIPAA Security Rule.
The HIPAA Security Rule requires three safeguards to guarantee privacy and security of PHI:
All 3 parts include implementation specifications. These safeguards are categorized as either ‘required’ or ‘addressable.’ Required safeguards must be implemented While addressable safeguards are necessary if reasonable and appropriate to do so. It is likely you should implement the addressable safeguards regardless to keep up with best practices.
Technical Safeguards focus on technology that protects PHI and controls access to it.
There are five Technical Safeguards:
- Access Control – Unique User Identification, Emergency Access Procedure, Automatic Logoff, Encryption and Decryption
- Audit Controls – hardware/software/procedural mechanisms that record activity in PHI systems
- Integrity – electronic mechanisms to corroborate that PHI has not been altered or destroyed
- Authentication – verify that a person/entity seeking access to PHI is the one claimed.
- Transmission Security – Encrypt as appropriate, ensure PHI is not improperly modified
Physical Safeguards include four standards:
- Facility Access Controls - Contingency operations (disaster recovery), facility security (safeguard assets), control employee and visit access, document repairs to the security related assets.
- Workstation Use – Allow only proper functions to be performed on a specific workstation or class of workstation that can access PHI.
- Workstation Security – Implement physical restrictions so that only authorized users have access.
- Device and Media Controls – Effective disposal of hardware or electronic media on which it is stored, or removal of PHI before re-use. Record the movements of hardware and electronic media and any person responsible therefore. Create a copy of PHI, when needed, before movement of equipment.
The Administrative Safeguards govern the conduct of the workforce, and the security measures put in place to protect PHI.
There are nine standards for Administrative Safeguards:
Security Management Process – identify where PHI is being used/stored to determine the ways HIPAA could be violated and implement actions and penalties to employees for failure to reduce these risks. Continually review system activity/logs/audit trails.
- Assigned Security Responsibility - Designate HIPAA Security and Privacy Officers.
- Workforce Security - authorize and supervise employees who work with PHI, grant and remove PHI access to employees especially at the termination of employment.
- Information Access Management – Restrict parent or related entity access to PHI
- Security Awareness and Training – Monitor/manage logins and passwords, send updates and reminders regarding policies to employees. Guarding against, detect, and report malicious software
- Security Incident Procedures - Identify, document, and respond to security incidents.
- Contingency Plan – Create and periodically test contingency plans and procedures so that the organization can continue operating in emergency mode.
- Evaluation – Evaluate changes to the business or laws related to HIPAA compliance.
- Business Associate Contracts and Other Arrangements – Institute monitoring procedures to ensure partners have BAAs in place.
To be continued…HIPAA Enforcement Rules and HIPAA Breach Notification Rules will be covered in a future post.
About the Author: David Rasmussen
David Rasmussen is the President of Extract. With 30 years’ experience leading software companies, David is driven by the challenge to consistently find groundbreaking ways to solve customer problems. David finds it rewarding to hit the customer’s target and create a great team, build a solid infrastructure, and emerge with a strong value proposition.