fbpx
HIPAA Compliance

Every Practice is at Risk

Every covered entity requires periodic assessments and a set of policies & procedures to ensure HIPAA compliance. 

hipaa compliance

5 Tips for creating a culture of compliance

1. Make compliance plans a priority now.
2. Know your fraud and abuse risk areas.
3. Manage your financial relationships.
4. Just because your competitor is doing something doesn’t mean you can or should.
Call 1-800-HHS-TIPS to report suspect practices.
5. When in doubt, ask for help.

Courtesy: Office of Inspector General – Healthcare Fraud Prevention and Enforcement Action Team (HEAT)

Need to talk to an expert?

Reach out to us for a free consultation.

HIPAA Compliance Basics for your Practice

What is HIPAA Compliance?

HIPAA Compliance

HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Who needs to be covered?

Covered Entity

A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI.

Business Associate
Business Associates

A “business associate” is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity

What safeguards are needed?

Technical

The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers.

Physical

The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access

administrative
Administrative

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

Additional Rules for HIPAA Compliance

privacy rule
HIPAA Privacy Rule

The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the DHSS of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients or to OCR if less than 500 patients.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule was introduced to address a number of areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors.

Covered entities are also advised to:

  • Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization´s security mechanism.
  • Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
  • Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.
Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.

Breach notifications should include the following information:

  • The nature of the ePHI involved, including the types of personal identifiers exposed.
  • The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
  • Whether the ePHI was actually acquired or viewed (if known).
  • The extent to which the risk of damage has been mitigated.

Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.

The Omnibus Rule amends HIPAA regulations in five key areas:

  • Introduction of the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
  • Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
  • Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
  • Prevented the use of ePHI and personal identifiers for marketing purposes.

Definition changes were also made to the term Business Associate, the term Workforce was amended to include employees, volunteers and trainees, and what material is now classified as Protected Health Information.

HIPAA Risk Assessment: Ongoing Process

Need to talk to an expert?

Reach out to us for a free consultation.
Computer hacker stealing information from web

Is your email HIPAA Compliant?

There are many free email solutions available these days. @Gmail.com, @outlook.com. @yahoo.com amongst others. But did you know that using those emails for PHI (Protected

Read More »