HeroTechs HIPAA Compliance
Give us a ring at 1-888-443-7683 for instant support!
Health Information Privacy
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
Who must comply with HIPAA privacy standards?
As required by Congress in HIPAA, the Privacy Rule covers:
> Health plans
- > Health care clearinghouses
- > Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
How Can HeroTechs Help with HIPAA Compliance?
HeroTechs has over 20 years of combined experience of providing fortune 500 companies with essential business process and practices covering the technologies implemented to the writing the Policies and Procedures.
- Analyze the Business Technology
- Analyze the Business Policies and Procedures
- Document our findings and review with Business Owner or Manager
- Provide Recommendations for Proper Solutions
- Have Business Select a HIPAA Compliance Officer
- Work with the HIPPA Compliance Officer to understand their New Role
- Implement Technology Solution Selected by Client
- Create Policies and Procedures Book
We essentially partner with our client and spend time to truly understand the business and practices of the employees. After the analysis we document our findings and provide recommendations. We work with the business to identify a proper HIPAA Compliance Officer and work with them to understand their new role. We then work to implement the new HIAPA Compliant technical solutions and finally work with your staff to write the Policy and Procedure Manual.
HIPAA Technical Considerations
- Remote Access: SSH, Remote Desktop, VNC. These are all fine to use, and they should be used (please use SSH over Telnet!). Make sure VNC connections are secure and encrypted. Know the best practices for using these remote access protocols/applications such as least-privilege, certificates, and using non-standard ports.
VPN: Whether using PPTP or L2TP make sure proper encryption/authentication is used. EAP-TLS is normally used for authenticating the PPTP protocol. IPSec normally operates over L2TP.
Virtualization: Virtualization is fast becoming the norm in corporate infrastructures. The key is not to get lax in securing these virtual systems. Secure them as you secure a physical box. Proper disaster recovery methods should be in place, encrypted methods for remote access, and monitoring the virtual networks are all important. Remember to keep the hyper-visor software patched and updated as it is a target for exploitation.
ASP, Cloud, SaaS: These are external applications or models kept on vendor servers or on the internet. Much of the security falls into the hands of the specific vendor, but that doesn’t mean the healthcare facility is clear of security considerations. This is where a good consultant can help a healthcare facility choose the right vendor(s) who provides adequate security and can properly implement the system on the customer side.
.
Below are Important Facts about HIPAA
HIPAA compliance essentially means that an entity or office is cooperating with and following the laws set forth by Congress in all three waves of HIPAA legislation. The government has mandated that all “covered entities” must meet HIPAA requirements. These so-called “covered entities” include practitioners and their offices, health care clearing houses, employer sponsored health plans, health insurance, and other medical providers. Newer regulations have also expanded the people who need to comply with HIPAA to the business associates of those covered entities. However, the covered entities are primarily responsible for insuring that everyone they do business with is doing their part to adhere to HIPAA requirements.
HIPAA Compliance essentially boils down to one thing: safeguarding the Protected Health Information (PHI) of patients and customers. Each entity should have one person appointed as the HIPAA Compliance Officer (sometimes referred to as the privacy officer). It is the Compliance Officer’s job to understand HIPAA laws and regulations and ensure that necessary precautions and procedures are in place—and in practice—for an entity to remain compliant at all times.
The different additions to the law have required increasing defenses for a company to ensure compliance. With the initial legislation, passed in 1996, being compliant consisted mainly of a few changes to the physical procedures in some offices. Compliance or privacy officers were appointed by each entity to orchestrate changes to standard procedure such as adding privacy at sign-in, concealing patient names from other patients, etc.
With the addition of the 2006 Security Rule, being HIPAA compliant became slightly more complicated. It was now required that information to be kept in locked locations to prevent a security breach if someone were to break into the entity.
For the first time the security of electronic information related to PHI was addressed and compliance required extra safeguards such as password guarded software, etc.
The 2009 HITECH Act again bumped up the requirements of being HIPAA compliant by requiring entities to come up with measures and procedures to not only protect PHI but take action in the event there is a breach. This includes informing patients and other individuals who may be impacted by the security breach whether the breach occurred because of a malicious outside act or failure of employees to follow standard protocol and procedures. In an almost ironic way, the HITECH Act requires all covered entities to have HIPAA Compliance Procedures in place for when their standard procedures fail in the first place.
While the general concept of HIPAA Compliance is very simple—protecting the privacy of each individual—creating standard operating procedures that follow HIPAA requirements can be rather complex and implementation of compliance procedures can vary greatly from one covered entity to the next depending on the type of business conducted at each entity.
Privacy is a highly valued commodity and one that used to be taken for granted. In this day and age of the internet and other advanced technological tools, privacy can be harder and harder to protect. It was under these evolving circumstances that Congress determined it was necessary to begin legislating privacy rules and guidelines at least in some domains. From this HIPAA privacy rules were born in 1996.
The HIPAA Privacy Rule took effect in 2003. The legislation held that covered entities (including most healthcare providers, health plans, and healthcare clearing houses) must take certain measures to protect the privacy of the individuals with whom they did business. The information that must be kept private was termed Protected Health Information (PHI). This nebulous phrase includes any information that in some way may identify the patient or their health and history such as:
- Names
- Social security numbers
- Contact information
- Conversations between a doctor and a patient about care or treatment
- Prescription information
- Billing information
- Information contained in a patient’s health record
- Patient’s insurance information
Protecting an individual’s privacy per HIPAA requirements is more than just keeping a patient’s chart closed when other patients are around. Each entity should identify and appoint a privacy officer to oversee the privacy measures put in place and practiced at their location. The privacy officer should train all employees on standard protocol and changes to procedures. Various precautions should be taken to ensure the privacy of each individual. Some of these precautions really are as simple as keeping patient charts closed and hidden from the view of other patients. Staff members should only access the information they need to use to complete their job. Nurses, for example, have little need to see the billing information of a patient they are treating though another employee may need that information but not the treatment information. Requiring passwords to access information stored on computers and locking cabinets or rooms that contain PHI also help achieve the HIPAA privacy laws.
The HIPAA Privacy Rule also dictates when PHI can be disclosed and to whom. Patients must be privy to their own PHI and if they request to see any part of their own information, the covered entity must provide them with the information within 30 days. The Privacy Rule also requires that PHI be disclosed at other times when it is required by law, such as in cases of suspected child abuse. Covered entities may also disclose PHI to facilitate treatment and payment so long as they have authorization from the individual.
The extent to which covered entities must go to protect an individual’s PHI can vary depending on the type of business operation it is. Researching HIPAA privacy law and trying to make sense of it all can be daunting and sometimes even dangerous if understood incorrectly. It is best to seek help in creating the HIPAA privacy procedures.
One of the most important elements in safeguarding against HIPAA violations is to have a HIPAA Policies and Procedures Manual in your office. However, having a binder labeled “HIPAA Policy” is not enough. The guidelines of an office need to be outlined and referred to in training new employees or when questions arise.
The HIPAA legislation calls for businesses and practices to have a policy to address everything from the everyday tasks performed at that office to some of the most unlikely—yet possible—situations. Some of the policies that should be created and included in such a manual might be overlooked at first because they are so routine and habitual for a particular business. For example, a doctor’s office should have a guideline that addresses proper sign-in procedures that comply with HIPAA and keep as much information regarding that patient private. There should also be a policy outlining the proper storage of patient information and files as well as the proper destruction of old paperwork. The HIPAA Policies and Procedures manual should contain templates for letters that are sent out along with x-rays or other PHI to collaborating doctors. There should also be a guideline that states how patients are notified that such information is being sent in order to obtain their authorization. It may seem rather extreme to have such detailed procedures but it is safe, and in order to be truly HIPAA compliant, it is necessary.
Security
Security is no joke in the healthcare setting. Major HIPAA/ARRA violations and security breaches can cost a healthcare facility millions of dollars in fines.
This chart is directly from the American Medical Association (AMA) regarding individual HIPAA fines:
HIPAA Violation |
Minimum Penalty |
Maximum Penalty |
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA |
$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation due to reasonable cause and not due to willful neglect |
$1,000 per violation, with an annual maximum of $100,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation due to willful neglect but violation is corrected within the required time period |
$10,000 per violation, with an annual maximum of $250,000 for repeat violations |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA violation is due to willful neglect and is not corrected |
$50,000 per violation, with an annual maximum of $1.5 million |
$50,000 per violation, with an annual maximum of $1.5 million |
HIPAA Bares Its Teeth: $4.3m Fine For Privacy Violation
The health care industry's toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996.
UCLAHS to pay HIPAA fines for employee snooping
LOS ANGELES – The University of California at Los Angeles Health System (UCLAHS) will pay $865,500 in HIPAA fines after an investigation found that its employees had been peeking at the electronic personal health information of numerous patients.
Top 5 security threats in healthcare
CONCORD, NH – The increase of mobile devices, embedded devices, virtualization software, social media and the consumerization of IT are the top five security threats for healthcare organizations today, says one expert.
Health Informatics Tools:
To provide the safe and effective delivery of medical care, virtually all clinical staff use a number of front-line Health Informatics Tools in their day-to-day operations. The need for standardization and refined development of these tools is underscored by the HITECH act and other efforts to develop electronic medical records. (Often, the development of these electronic processes is hampered by the conversion process from older paper processes, which were developed before the stricter development guidelines required in an electronic environment.)
To successfully implement each of these tools, hospitals generally must define who is responsible for, and a prescribed manner of building, testing, approving, coding, publishing, implementing/educating, and tracking the tool.
1. Policies and Procedures - Documents to standardize organizational standards/goals and how to achieve them
2. Procedures - Documents to help learn how to achieve a goal
3. Clinical protocols - Documents used to help standardize and automate delivery of a common clinical therapy
4. Orders - Tools used to document and transmit an instruction to deliver care
5. Order Sets - Tools used to standardize and expedite the ordering process for a common clinical scenario
6. Clinical Pathways - Groupings of order sets, used to standardize the rounding process for a common clinical diagnosis
7. Guidelines - Documents used to communicate general care objectives for a common diagnosis
8. Clinical Documentation (includes Notes, Forms, and Flowsheets) - Documents used to record and transmit a patients' history, condition, responses, therapies, activities, and plan
9. Clinical Templates - Documents used to standardize and expedite the creation of a clinical document
11. Clinical Staff Education Modules - Documents used to educate a staff member about a common clinical subject
12. Clinical Patient Education Modules- Documents used to educate a patient about a common clinical subject
13. Clinical Staff Schedules - Documents used to determine who is responsible for care at a particular date and time
14. Clinical Committee Charters - Documents used to assign responsibility to a clinical committee to perform a particular task
15. Clinical Committee Minutes - Documents used to record the decisions and activities of a clinical committee
16. Telephone Number Lists - Documents used to help contact a clinical staffmember
17. Wikis - Electronic documents used to collect information and web links for a common clinical group
18. Emails, Posters, and Staff Meetings - Tools used to make announcements and deliver short messages
