- Have you performed a Risk Assessment?
- Have you provided HIPAA security training for all employees?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have updated Business Associate Agreements?
Netcentric HIPAA specialists will provide a clear and concise implementation based on the new HIPAA regulations, guiding your practice towards compliance. We will identify and mitigate the risks that lie in your IT infrastructure. Educate your staff on specific practice policies and procedures and provide audit support giving you peace of mind. Call or email us today!
Below find a partial list of requirements for compliance, that Netcentric HIPAA specialists will help you meet:
HIPAA Administrative Requirements
Risk Analysis: Perform and document a risk analysis to see where personal protected health information is being used and stored. From there, determine all the possible areas at risk of a HIPAA violation
Risk Management: Implement measures sufficient to reduce these risks to an appropriate level.
Sanction Policy: Implement sanction policies for employees who fail to comply.
Information Systems Activity Reviews: Regularly review system activity, logs, audit trails, etc.
Officers: Designate HIPAA Security and Privacy Officers
Employee Oversight: Implement procedures to authorize and supervise employees who work with protected health information, and for granting and removing this access. Ensure that any employee who accesses this information without permission ends with termination of employment.
Multiple Organizations: Ensure that protected health information is not accessed by parent or partner organizations or by subcontractors that are not authorized for access.
Electronic Protected Health Information Access: Implement procedures for granting access to personal health information
Security Reminders: Periodically send updates and reminders of security and privacy policies to employees.
Protection Against Malware: Have procedures for guarding against, detecting, and reporting malicious software.
Login Monitoring: Institute a program of monitoring logins to systems and report any discrepancies.
Password Management: Ensure there are procedures for creating, changing, and protecting passwords.
Response and Reporting: Identify, document, and respond to security incidents.
Contingency Plans: Ensure there are accessible backups of ePHI and that there are procedures for to restore any lost data.
Contingency Plans Updates and Analysis: Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
Emergency Mode: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Evaluations: Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
Business Associate Agreements: Have special contracts with business partners who will have access to your protected health information to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
HIPAA Physical Requirements
Contingency Operations: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance Records: Implement policies and procedures to document repairs and modifications to the physical components of a facility when those facilities are related to security.
Workstations: Implement policies governing what software can/must be run and how it should be configured on systems that provide access to protected health information. Safeguard all workstations providing access to protected health information and restrict access to unauthorized users.
Devices and Media Disposal and Re-use: Create procedures for the secure final disposal of media that contain protected health information and for the reuse of devices and media that could have been used for viewing or storing protected health information.
Media Movement: Record movements of hardware and media associated with the storage of the protected health information. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
HIPAA Technical Requirements
Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
Emergency Access: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Protected Health Information Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is transmitted over an electronic communications network.
That’s everything, right?
Not quite, but it’s a start. This is as basic a summary as there is, and there may be certain tweaks that are necessary in certain areas depending on how HIPAA’s rules and regulations apply to your specific organization, but Netcentric HIPAA specialists would be a great resource for any further assistance.
With the start of a new year, many organizations take a second look at their business and make necessary changes. This is looking like a challenging year in terms of data security. The New Year brings back the Office of Civil Rights (OCR) HIPAA audits. Both HIPAA Covered Entities (CEs) and Business Associates (BAs) will need to prepare for a potential OCR audit. In addition, the data breaches that made headlines in 2014 will surely continue into 2015. Protecting data will be an issue that every organization will need to be concerned about.
HIPAA audits, which will occur in 2015, will only affect a small amount of organizations but marks the start of a permanent audit process. In addition, the audits will look at Business Associates (BAs) for the first time. Organizations have to realize that the random audits are only one way that OCR may scrutinize your HIPAA compliance program. Other ways include data breaches, patient or employee HIPAA privacy complaints and breaches by downstream BAs to name a few.
The Office of Civil Rights (OCR) is the enforcement arm of HHS and has vowed to leverage large fines on organizations that have data breaches and are found to be neglecting HIPAA safeguards. The process of making an example of an organization that is not complying with HIPAA safeguards seems to be in full force.
The following is a summary of the major changes to HIPAA under the new Final Rule:
1. Breach Notification Standard Lowered - In perhaps the most significant change under the Final Rule, the new regulations considerably alter what constitutes a breach of Protected Health Information (PHI) and whether the breach notification requirements are triggered. Under the current HIPAA regulations, to determine whether a breach has occurred (and whether a breach notification is required), a Covered Entity or Business Associate must conduct a risk assessment to determine whether the use or disclosure of PHI in question "poses a significant risk of financial, reputational, or other harm to the individual." Under the Final Rule, an improper use or disclosure of PHI is presumed now to be a breach unless the Covered Entity or Business Associate "demonstrates that there is a low probability that the protected health information has been compromised" through a risk assessment of at least four factors set forth in the new regulations:
(i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
(ii) The unauthorized person who used the PHI or to whom the disclosure was made.
(iii) Whether the PHI was actually acquired or viewed.
(iv) The extent to which the risk to the PHI has been mitigated.
This "presumption of breach" standard is a much lower standard than the previous "significant risk of harm" standard and is likely to lead to more breach notifications from Covered Entities and their Business Associates.
2. Expanded Definition of Business Associate - The Final Rule broadens the definition of Business Associate under HIPAA, such that HIPAA now applies to a whole new group of entities that will all need to be compliant by September 23, 2013. The Final Rule clarifies that the following persons and entities are now Business Associates under HIPAA:
(i) Any person or entity that provides data transmission services of PHI to a Covered Entity and requires access on a routine basis to such PHI. (Covered Entities will need to review their relationships with vendors and others who transmit PHI on their behalf and determine whether that person or entity requires access to its PHI on a routine basis. Many Covered Entities will gain an expanded list of Business Associates through this clarification of the Final Rule and will need to put Business Associate Agreements in place by the compliance date.)
(ii) Any subcontractor of a business associate that handles PHI. (If a Business Associate subcontracts part of its function requiring access to or use of PHI to another organization, that subcontractor is now a Business Associate under HIPAA, and under the new regulations, there must be a written agreement in place between the Business Associate and its subcontractor that meets all of the requirements of a Business Associate Agreement under HIPAA. The Final Rule also makes it clear that in this situation, it is the Business Associate who retains the subcontractor, and not the Covered Entity, that is responsible for ensuring there is a proper Business Associate Agreement in place.)
(iii) Any entity that maintains PHI on behalf of a Covered Entity. (Under the Final Rule, a Business Associate now includes a person or entity that maintains PHI on behalf of a Covered Entity, even if that person or entity does not access or view the PHI. If a Covered Entity uses an outside organization to store and/or maintain its PHI, it now needs to make sure it has a Business Associate Agreement in place with that vendor that meets all the requirements under HIPAA.)
3. Application of HIPAA to Business Associates - The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates, and provides that if a Business Associate violates any HIPAA provision that is now directly applicable to it, the Business Associate is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH. Under the revised HIPAA regulations, Business Associates are now directly liable for:
(i) Impermissible uses or disclosures of PHI;
(ii) Failure to provide proper breach notification to a Covered Entity;
(iii) Failure to provide appropriate access to an electronic copy of PHI to a Covered Entity, individual, or individual's representative;
(iv) Failure to disclose PHI when required by HHS to investigate the Business Associate's compliance with HIPAA;
(v) Failure to provide an accounting of disclosures;
(vi) Failure to comply with the applicable requirements of the Security Rule.
Perhaps most significantly, the Final Rule provides that if a Business Associate violates a provision of a Business Associate Agreement, that contractual violation is now a HIPAA violation. The Final Rule also states that Business Associates must comply with HIPAA's "minimum necessary" standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
4. New Requirements for Business Associate Agreements - An organization's Business Associate Agreements may need to be amended or updated to comply with the Final Rule. Under the new regulations, Business Associate Agreements must now require that the Business Associate will do the following:
(i) Comply, where applicable, with the HIPAA Security Rule;
(ii) Report breaches of unsecured PHI to the Covered Entity as required under the breach notification rules;
(iii) Make certain that any subcontractors that create or receive PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate (there must now be a Business Associate Agreement in place between a Business Associate and its subcontractors in these circumstances); and
(iv) Comply with the requirements of the HIPAA Privacy Rule whenever the Business Associate is required to perform the Covered Entity's obligation under the Privacy Rule. Business Associate Agreements entered into prior to January 25, 2013, between Covered Entities and Business Associates (as well as Business Associates and their subcontractors) that are not renewed or modified between March 26, 2013, and September 23, 2013, and that met the requirements of HIPPA and HITECH prior to January 25, 2013, will be granted grandfathered status and deemed to continue in compliance until September 23, 2014, or the date the contract is renewed or modified, whichever occurs first. All other Business Associate Agreements must be in compliance with the new regulations by September 23, 2013.
5. New Requirements for Notice of Privacy Practices - The Final Rule requires Covered Entities to revise their Notice of Privacy Practices to include a statement that:
(i) Describes the types of uses and disclosures that require authorization under HIPAA (if the Covered Entity intends to engage in any of them);
(ii) Informs individuals that they have the right to opt out of receiving fundraising communications (if the Covered Entity uses PHI to conduct fundraising activities);
(iii) Informs individuals that they have a right to pay out-of-pocket for a service and the right to require that the Covered Entity not submit PHI to the individual's health plan if they do so; and
(iv) Informs individuals that the Covered Entity has a duty to notify affected individuals following a breach of unsecured PHI.
6. Fundraising - The Final Rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of individuals' health information without their permission. The Final Rule tightens the rules about providing individuals the opportunity to opt out of receiving future fundraising materials and requires clear instructions on how to opt-out.
7. Expanded Patient Rights - Under the Final Rule, a Covered Entity is required to abide by an individual's request to restrict the disclosure of PHI to a health plan if the individual, or someone on behalf of the individual, has paid the Covered Entity in full. The new regulations also provide that if an individual requests an electronic copy of their PHI, then a Covered Entity must provide access to that information in electronic form, if it is readily producible in that form. So a Covered Entity will have to produce PHI in an electronic format if it maintains records electronically (as it is considered readily producible in this circumstance). Further, under the Final Rule, if an individual directs a Covered Entity, in a signed writing, to electronically transmit a copy of the PHI to another person designated by that individual, then the Covered Entity must transmit the PHI electronically to that party. Additionally, HIPAA now permits a Covered Entity only one 30-day extension to respond to a request for access. Finally, the new regulations streamline individuals' ability to authorize the use of their health information for research purposes and make it easier for parents and others to give permission to share proof of a child's immunization with a school.
8. Increased Flexibility with PHI of Deceased Patients - Under the Final Rule, Covered Entities are now permitted to disclose PHI to a decedent's family members and others who were involved in the patient's care, or payment for that care, prior to death, unless doing so would be inconsistent with any prior expressed preferences known to the Covered Entity. This is limited to disclosing PHI that is relevant to the family member or other person's involvement in the individual's healthcare or payment. Additionally, under the new HIPAA regulations, health information is no longer PHI after a patient has been dead for 50 years.
9. Civil Monetary Penalties - The Final Rule retains the increased civil monetary penalties for HIPAA violations that were set forth under the HITECH Act. The new tiered penalty system currently applies to Covered Entities and under the Final Rule it will be applicable to Business Associates and their subcontractors. The penalty amounts range from $100 per violation, up to a maximum penalty of $1.5 million for violations of the same HIPAA provision in a calendar year. Penalties in the four-tiered system increase based on the level of culpability. The lowest level of penalties ($100 to $50,000 per violation) applies to situations where the Covered Entity or Business Associate did not know about the HIPAA violation. The highest penalty level, which starts at $50,000 per violation, applies when the Covered Entity or Business Associate demonstrated "willful neglect" in violating HIPAA, and it failed to correct the violation.