HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders that transmit health infrmatin electrnically. Business Assciate (BAs) A persn r rganizatin that cnducts business with the cvered entity that invlves the use r disclsure f individually identifiable health infrmatin. Electrnic Medical Recrds (EMRs) Digital versins f the paper charts in a clinician s ffice. An EMR cntains the medical and treatment histry f the patients in ne practice. Electrnic Health Recrds (EHRs) EHRs fcus n the ttal health f the patient ging beynd standard clinical data cllected in the prvider s ffice and inclusive f a brader view n a patient s care. EHRs are designed t reach ut beynd the health rganizatin that riginally cllects and cmpiles the infrmatin. They are built t share infrmatin with ther health care prviders, such as labratries and specialists, s they cntain infrmatin frm all the clinicians invlved in the patient s care. Medical Practice Management Sftware (PMS) A categry f Healthcare Sftware that deals with the day-t-day peratins f a medical practice. Such sftware frequently allws users t capture patient demgraphics, schedule appintments, maintain lists f insurance payers, perfrm billing tasks, and generate reprts. Subcntractr A persn r rganizatin t whm a business assciate delegates a functin, activity, r service, ther than in the capacity f a member f the wrkfrce f such business assciate. This dcument prvides an verview f the Health Insurance Prtability and Accuntability Act (HIPAA) cmpliance requirements. It cvers the relevant legislatin, required prcedures, and ways that yur business can achieve cmpliance. Safe Harbr Prvisin MSPs and VARs are abslved frm risk due t any data breach if the health data handled is adequately encrypted. The encryptin prcesses tested and apprved by the Natinal Institute f Standards and Technlgy (NIST) may be fund here; http://www.hhs.gv/cr/privacy/hipaa/administrative/ breachntificatinrule/brguidance.html Pittsburgh Cmputer Slutins 724-942-1337
HIPAA The United States requirements fr securely managing Infrmatin Systems in Health Care are substantially gverned by federal regulatins, specifically HIPAA. The detailed requirements and respnsibilities are cvered by the HIPAA Omnibus Rule, which was revised in 2013. Initially, these regulatins fr safeguarding health infrmatin applied primarily t health care delivery prviders and insurers knwn as cvered entities. Hwever, the 2013 additins t the HIPAA Omnibus rule require that business assciates f these cvered entities must nw als be HIPAA cmpliant. All existing and new business assciates must achieve cmpliance by September 23rd, 2013. The data cvered under this requirement is knwn as Prtected Health Infrmatin (PHI). The new HIPAA rules specifically defines clud service prviders (CSPs) as business assciates: The new HIPAA rules specifically defines clud service prviders (CSPs) as business assciates:...dcument strage cmpanies maintaining prtected health infrmatin n behalf f cvered entities are cnsidered business assciates, regardless f whether they actually view the infrmatin they hld.... dcument strage cmpanies maintaining prtected health infrmatin n behalf f cvered entities are cnsidered business assciates, regardless f whether they actually view the infrmatin they hld. Thus MSPs and VARs f clud based services and prducts are als business assciates and must als achieve HIPAA cmpliance. While health care demand fr infrmatin technlgy and especially secure strage is vast, MSPs and VARs must have a clear strategy and plans fr reducing ptential liability. A summary f the HIPAA Security Rule may be fund here: http://www.hhs.gv/cr/privacy/hipaa/understanding/srsummary.html Electrnic Prtected Health Infrmatin (ephi) Any infrmatin abut health status, prvisin f health care, r payment fr health care that can be linked t a specific individual. This is interpreted rather bradly and includes any part f a patient s medical recrd r payment histry. Under HIPAA, PHI that is linked based n the fllwing list f 18 identifiers must be treated with special care: Names Dates Gegraphic Identifiers Scial Security Numbers Health Insurance Beneficiary Numbers Face Numbers Phne Numbers Email Addresses 2
Medical Recrd Numbers Accunt Numbers Certificate / License Numbers Vehicle Indentifiers & Serial Numbers Device Identifiers & Serial Numbers Web Unifrm Resurce Lcatrs (URLs) Internet Prtcl (IP) Address Numbers Bimetric Identifiers Business assciates must cmply with the final rule beginning September 23, 2013. Unique Numbers, Characteristics, r Cdes Fullface Phtgraphic Images HITECH Act Cvered entities are liable under the final rule fr vilatins resulting frm the acts r missins f a business assciate if that business assciate is an agent f the cvered entity and the business assciate is acting within the scpe f the agency arrangement. If the business assciate is nt acting within the scpe f that agency arrangement, the business assciate is therefre liable. A business assciate is liable fr vilatins resulting frm the acts r missins f a subcntractr if that subcntractr is an agent f the business assciate and the subcntractr is acting within the scpe f that agency arrangement. Business assciates must cmply with the final rule beginning September 23, 2013. Hwever, there is a special ne-year transitin perid fr implementing business assciate agreements that cmply with the final rule. Civil penalties fr willful neglect are increased under the HITECH Act. These penalties can extend up t $250,000, with repeat/uncrrected vilatins extending up t $1.5 millin. HIPAA Omnibus Rule Business assciates nw include any f the fllwing types f entities: 3 A health infrmatin rganizatin, e-prescribing gateway, r any ther entity that prvides data transmissin services t a cvered entity and requires access n a rutine basis t PHI. An entity that ffers a persnal health recrd n behalf f a cvered entity. Hwever, if the persnal health recrd is nt ffered n behalf f a cvered entity, then the persnal health recrd vendr is nt a business assciate. A subcntractr f a cvered entity as well as any subcntractr f a business assciate, if the subcntractr accesses PHI f the cvered entity. An individual wh creates, receives, maintains, r transmits PHI n behalf f a cvered entity.
This rule change als includes subcntractrs f business assciates and requires the Cvered Entity s (CE s) Business Assciates t enter int Business Assciate Agreements (BAA s) with their wn subcntractrs wh will receive, create, r transmit PHI n their behalf. HIPAA Safeguards Under HIPAA, all cvered entities and business assciates must secure health infrmatin data under a prescribed cntrls framewrk that prvides adequate safeguards fr physical facilities, administrative requirements (e.g. adequate security plicies), and technical infrastructure. MSPs and VARs must have a clear strategy and plans fr reducing ptential liability. While health care demand fr infrmatin technlgy and especially secure strage is vast, MSPs and VARs must have a clear strategy and plans fr reducing ptential liability. Steps that need t be taken include: Ensuring the cnfidentiality, integrity, and availability f all electrnic PHI (ephi) they create, receive, maintain r transmit Identifying and prtecting against reasnably anticipated threats t the security r integrity f the infrmatin Prtecting against reasnably anticipated, impermissible uses r disclsures Ensuring cmpliance by internal wrkfrce and sub-cntractrs If MSPs are handling r have access t unencrypted ephi they must als cnduct a security risk analysis prcess t include the fllwing activities: Evaluating the likelihd and impact f ptential risks t ephi Implementing apprpriate security measures t address the risks identified in the risk analysis Dcumenting the chsen security measures and the ratinale fr adpting thse measures Maintaining cntinuus, reasnable, and apprpriate security prtectins This risk analysis shuld be an nging prcess where it reviews its recrds t track access t ephi and detect security incidents, peridically evaluates the effectiveness f security measures put in place, and regularly reevaluates ptential risks t ephi. The fllwing sectins prvide a mre in depth scpe f the administrative, physical, and technical safeguard requirements needed t be met t prtect MSPs, VARs, frm liability. Use the checklists t see if yur rganizatin meets the necessary standards. 4
Administrative Administrative actins, and plicies and prcedures, t manage the selectin, develpment, implementatin, and maintenance f security measures t prtect electrnic prtected health infrmatin and t manage the cnduct f the cvered entity s wrkfrce in relatin t the prtectin f that infrmatin. Risk Analysis: Risk analysis must be an nging prcess t review its recrds t track access t cvered entity ephi and detect security incidents, peridically evaluate the effectiveness f security measures and regularly reevaluate risks t ephi. Regular analysis must dcument the fllwing: Evaluate the likelihd and impact f ptential risks t ephi; Implement apprpriate security measures t address the risks identified in the risk analysis; Dcument the chsen security measures and, where required, the ratinale fr adpting thse measures; and Maintain cntinuus, reasnable, and apprpriate security prtectins. NIST 800-30 details hw t cnduct a security risk analysis: http://csrc.nist.gv/publicatins/nistpubs/800-30- rev1/sp800_30_r1.pdf Risk Management: Implement measures sufficient t reduce these risks t an apprpriate level. Sanctin Plicy: Implement sanctin plicies fr emplyees wh fail t cmply. Infrmatin Systems Activity Reviews: Regularly review system activity, lgs, audit trails, etc. Officers: Designate HIPAA Security and Privacy Officers. Emplyee Prcedures: Implement prcedures t authrize and supervise emplyees wh wrk with PHI, and fr granting and remving PHI access t emplyees. Business Assciate & Sub-Cntractr Agreements: Have special cntracts with business partners wh will have access t PHI t ensure that they will be cmpliant. Organizatins: Ensure that PHI is nt accessed by parent r partner rganizatins r subcntractrs that are nt authrized fr access. ephi Access: Implement prcedures fr granting access t ephi and which dcument access t ephi r t services and systems which grant access t ephi. 5 Security Reminders: Peridically send updates and reminders f security and privacy plicies t emplyees.
Prtectin against Malware: Have prcedures fr guarding against, detecting, and reprting malicius sftware. Passwrd Management: Ensure there are prcedures fr creating, changing, and prtecting passwrds. Lgin Mnitring: Institute mnitring f lgins t systems and reprting f discrepancies. Reprting: Identify, dcument, and respnd t security incidents. Cntingency Plans: Ensure there are accessible backups f ephi and that there are prcedures fr restre any lst data. EHRs are designed t reach ut beynd the health rganizatin that riginally cllects and cmpiles the infrmatin. Cntingency Plan Updates and Analysis: Have prcedures fr peridic testing and revisin f cntingency plans. Assess the relative criticality f specific applicatins and data in supprt f ther cntingency plan cmpnents. Emergency Mde: Establish prcedures t enable cntinuatin f critical business prcesses fr prtectin f the security f electrnic prtected health infrmatin while perating in emergency mde. Physical Physical measures, plicies, and prcedures t prtect a cvered entity s electrnic infrmatin systems and related buildings and equipment, frm natural and envirnmental hazards, and unauthrized intrusin. Cntingency Operatins: Establish prcedures that allw facility access in supprt f restratin f lst data under the disaster recvery plan and emergency mde peratins plan in the event f an emergency. Maintenance Recrds: Implement plicies and prcedures t dcument repairs and mdificatins t the physical cmpnents f a facility which are related t security. Facility Security: Implement plicies and prcedures t safeguard the facility and the equipment therein frm unauthrized physical access, tampering, and theft. Access Cntrl: Implement prcedures t cntrl and validate a persn s access t facilities based n their rle r functin, including visitr cntrl, and cntrl f access t sftware prgrams fr testing and revisin. Wrkstatins: Implement plicies gverning what sftware can/must be run and hw it shuld be cnfigured n systems that prvide access ephi. Safeguard all wrkstatins prviding access t ephi and restrict access t authrized users. Media Mvement: Recrd mvements f hardware and media assciated with ephi strage. Create retrievable, exact cpies f electrnic prtected health infrmatin, when needed, befre mvement f equipment. 6
Devices and Media Dispsal and Re-use: Create prcedures fr the secure final dispsal f media that cntain ephi and fr the reuse f devices and media that culd have been used fr ephi. Technical The technlgy and the plicy and prcedures fr its use that prtect electrnic prtected health infrmatin and cntrl access t it. Unique User Identificatin: Assign a unique name and/r number fr identifying and tracking user identity. Authenticatin: Implement prcedures t verify that a persn r entity seeking access t electrnic prtected health infrmatin is the ne claimed. Autmatic Lgff: Implement electrnic prcedures that terminate an electrnic sessin after a predetermined time f inactivity. Encryptin and Decryptin: Implement a mechanism t encrypt and decrypt electrnic prtected health infrmatin when deemed apprpriate. Emergency Access: Establish prcedures fr btaining necessary electrnic prtected health infrmatin during an emergency. Audit Cntrls: Implement hardware, sftware, and/r prcedural mechanisms that recrd and examine activity in infrmatin systems that cntain r use electrnic prtected health infrmatin. Transmissin Security: Implement technical security measures t guard against unauthrized access t electrnic prtected health infrmatin that is transmitted ver an electrnic cmmunicatins netwrk. ephi Integrity: Implement plicies and prcedures t Prtect electrnic prtected health infrmatin frm imprper alteratin r destructin. 7