HIPAA Compliance and the Protection of Patient Health Information



Similar documents
HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA COMPLIANCE AND

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Rule Compliance

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance Guide

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Preparing for the HIPAA Security Rule

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Datto Compliance 101 1

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

COMPLIANCE ALERT 10-12

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

efolder White Paper: HIPAA Compliance

Healthcare Compliance Solutions

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Compliance: Are you prepared for the new regulatory changes?

Meaningful Use and Security Risk Analysis

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

HIPAA Information Security Overview

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Bridging the HIPAA/HITECH Compliance Gap

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA and Mental Health Privacy:

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HIPAA Security Checklist

C.T. Hellmuth & Associates, Inc.

Why Lawyers? Why Now?

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Series

Guide: Meeting HIPAA Security Rules

VMware vcloud Air HIPAA Matrix

Business Associate Management Methodology

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

BUSINESS ASSOCIATE AGREEMENT

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Somansa Data Security and Regulatory Compliance for Healthcare

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA/HITECH: A Guide for IT Service Providers

Healthcare Insurance Portability & Accountability Act (HIPAA)

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA: In Plain English

Healthcare Compliance Solutions

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Double-Take in a HIPAA Regulated Health Care Industry

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Regulations

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

White Paper #6. Privacy and Security

The Impact of HIPAA and HITECH

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

New HIPAA regulations require action. Are you in compliance?

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

HIPAA Compliance & Privacy. What You Need to Know Now

Use & Disclosure of Protected Health Information by Business Associates

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Regulatory Update with a Touch of HIPAA

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Montclair State University. HIPAA Security Policy

HIPAA Security Overview of the Regulations

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Security Alert

BUSINESS ASSOCIATE AGREEMENT. Recitals

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

HIPAA BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Transcription:

HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1

Contents HIPAA Compliance and the Protection of Patient Health Information... 1 Introduction... 3 Risks... 3 HIPAA Objectives... 3 Covered Entities... 4 Business Associates... 4 Penalties for Non-Compliance... 4 Criminal Penalties... 5 Civil Penalties... 5 Impact on Business... 5 The HIPAA Security Rule... 6 Security Rule Requirements... 6 Security Measures... 6 The Contingency Plan... 7 The HIPAA Omnibus Rule... 8 Definition of Business Associates... 8 The Conduit Exception... 9 Business Associate Agreement & Mandatory Provisions... 10 Swift Systems Solution for HIPAA Compliance... 10 Legal Disclosure... 11 2

Introduction As technology moves forward at an ever faster pace, patient privacy has taken center stage and especially the concerns surrounding Digital security. Increasingly, digital record keeping has become the de facto norm for medical practices, and with Digital record keeping, healthcare organizations must be aware of the associated risks. Risk mitigation is crucial to protect both patients and healthcare organizations alike. Risks Risks associated with Digital record keeping include: The risk of a disaster resulting in physical damage to the integrity of patient data or outright loss. Corruption or loss of patient data by viruses or malware. Theft or corruption of patient data by hackers or physical intruders. Theft or corruption of patient data by internal staff. Accidental loss or theft of Mobile devices, such as laptops and tablets, containing patient data. HIPAA Objectives The Health Insurance Portability and Accountability Act ( HIPAA ) was enacted by Congress in 1996, and with the advent of this legislation, a set of universal standards was introduced to hold healthcare providers accountable for the safety of patient data. HIPAA s core objectives were to mandate patient confidentiality while promoting the portability of their records, with appropriate access to patient records amongst authorized healthcare providers and ancillary persons. Consistency was also a goal of HIPAA, not only across the healthcare industry, but also within individual provider s operations. 3

The ultimate objective of HIPAA is the protection of healthcare systems containing patient data, and promoting patient confidence in the integrity and security of their private information. Covered Entities A Covered Entity defines who must comply with HIPAA provisions: typically, any health care provider, health plan or clearinghouse who captures, stores or transmits patient records by Digital means. A Covered Entity must institute appropriate measures to protect patient data privacy, including physical, technical and administrative safeguards. Specifically, a Covered Entity must, amongst other things, establish: A Data Backup Plan. A Disaster Recovery Plan. An Emergency Mode Operation Plan. HIPAA provided for a compliance regime, together with penalties for violators. Penalties were increased and broadened in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health Act ( HITECH ), which also broadened the range of violations and entities covered by HIPAA, e.g. business associates of medical practices. Business Associates Business Associates are defined to include vendors and providers of Electronic Health Records (EHR), and there is also the possibility for other parties to be held accountable under HIPAA. Compliance with HIPAA demonstrates your commitment to patient privacy and confidentiality, as well as your direct commitment to prevention of patient information by security breach and ensuing financial loss. Penalties for Non-Compliance Penalties for non-compliance with HIPAA are severe, and are divided into Criminal and Civil penalties: 4

Criminal Penalties Fines ranging from $50,000 to $250,000. Jail terms ranging from one year to 10 years in prison. Civil Penalties Where willful neglect is demonstrated, penalties include fines up to $250,000 through to $1.5 million for repeat violations (including where a prior violation has not been corrected). Impact on Business Aside from the civil and criminal penalties which may be levied for violations, there is the considerable risk of losing patient business, commercial partnerships, and the attendant negative publicity. 5

The HIPAA Security Rule The HIPAA Security Rule covers all patient health data transmitted or stored in an electronic format or managed on electronic media. Security Rule Requirements 45 CFR 164.306 requires Covered Entities to: Protect patient data and electronic systems handling patient data from any reasonably anticipated threats which may affect the security of patient data. Protect the confidentiality, integrity and the availability of patient data stored or transmitted electronically, including when patient data is created or received by the Covered Entity as well as when stored or transmitted. Protect against unauthorized disclosure or misuse where such acts can be reasonably anticipated. Subpart E also stipulates what patient data is REQUIRED to be protected, irrespective of the reasonable anticipation language. Establish and enforce staff compliance with this subpart. Security Measures HIPAA provides a degree of flexibility for Covered Entities in how they implement these requirements. The language is clear in this through the use of phrases such as reasonably anticipated, which means specific security measures and procedures are left to the Covered Entity to determine. This naturally requires the Covered Entity to understand what security measures and protocols are available, and more particularly, what threats can be reasonably anticipated. The decision as to which security measures are to be implemented by the Covered Entity must consider the following: Existing infrastructure, including hardware and software and attendant security protections already afforded. 6

The size and complexity of the Covered Entity s operations, including their capabilities. Potential risks to patient data, together with an intentional assessment of the probability and criticality of any potential risk which can be reasonably anticipated. The Contingency Plan Covered Entities must also comply with the Security Rule s requirement to back up and protect electronic data. This includes the formulation and implementation of a Contingency Plan to be invoked in the event of a disaster or breach which may result in major loss of data. The Contingency Plan requirements are contained in Administrative Safeguards 164.308(a)(7)(i): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information The Contingency Plan MUST be implemented using the following: REQUIRED Data Backup Plan the Covered Entity MUST establish and implement a Data Backup Plan to include the creation and maintenance of retrievable and exact copies of protected health data stored, transmitted or maintained in an electronic format. REQUIRED Disaster Recovery Plan the Covered Entity MUST establish and implement a Disaster Recovery Plan to recover any loss of protected information or data. REQUIRED Emergency Mode Operation Plan the Covered Entity MUST create and implement an Emergency Mode Operation Plan to ensure business continuation for critical business processes to ensure continuing security of protected health information and data during operations in emergency mode. Physical Requirements which MUST be complied with include: 7

o Physical Safeguards - 164.310(a)(1) physical access to electronic systems MUST be limited by policies and procedures, and also includes restriction of access to the facilities within which electronic systems are situated such that only authorized access is permitted. o Facility Access during a Disaster or Emergency 164.310(a)(2)(i) procedures shall be created and implemented to facilitate access to any facility where such electronic systems are situated when executing either the Disaster Recovery Plan or Emergency Mode Operations Plan. Technical Safeguards - 164.312 Covered Entities must also adopt specified technical safeguards to cover the following (refer to 164.312 for a full list): o Encryption and decryption of protected data. o Limitation of access to protected data. o Audit controls to record and monitor system activity containing or using protected data. o Technical security measures to protect against unauthorized access to protected data during transmission over an electronic communications network. Covered Entities should therefore assess and evaluate their electronic systems and secure electronic protected health information. This includes the deployment of a secure backup, archiving and retrieval solution to ensure full compliance with HIPAA. The HIPAA Omnibus Rule New privacy rules were introduced and became effective January 17, 2013 and are collectively known as the HIPAA Omnibus Rule. The HIPAA Omnibus Rule extends some of the rules to Business Associates of Covered Entities. Definition of Business Associates The Department of Health and Human Services (HHS) defines Business Associates, and some examples are: 8

A firm of IT consultants who manage IT infrastructure or provide network management services, and who may have access to patient health information in the performance of their duties under the contract. A firm of accountants who provide services to healthcare providers and which involves access to protected patient information. Healthcare clearinghouses who convert non-standard formatting of a claim into a standardized version for onward transmission to the payer. A consultant (person or organization) who conducts utilization reviews for a healthcare provider. Third party medical transcription service providers performing work for a medical practitioner. A benefits manager or administrator who manages a pharmacist network on behalf of a health plan provider. A lawyer acting for a healthcare provider and who has access to protected patient information. Third party claims processors. Click this link for detailed information on the HHS website. The Conduit Exception The Conduit Exception allows for an exemption for Business Associates who are providing a courier service, such as the U.S. Postal Service, FedEx or UPS. Incidentally, the Conduit Exception also applies to Internet Service Providers (ISPs) where they are only providing data transmission services. The underlying principle is that a conduit simply carries data or information, but does not have access to it except only as required to perform transmission or transport to the intended destination (unless otherwise required by law.) The Conduit Exception forms part of the Omnibus Rule, and an important amendment was to remove the old exemption for Business Associates who are providing cloud backup or data storage services. These providers are now specifically classified as Business Associates and are caught by HIPAA provisions. 9

Business Associate Agreement & Mandatory Provisions These provisions include the mandatory requirement they sign a Business Associate Agreement with the Covered Entity they provide services to. HHS REQUIRES the following contractual provisions: A provision the Business Associate will NOT use or disclose protected health data for any other purpose except as proscribed by law or for the purposes of carrying contractual provisions. A provision that the Business Associate will also adopt and take suitable precautions and safeguards to prevent unauthorized use or disclosure of protected health information, except as laid out in the contract. Swift Systems Solution for HIPAA Compliance Swift Systems has over 15 years of experience working with healthcare providers, and their Business Associates, in implementing and maintaining state-of-the-art IT systems to ensure compliance with HIPAA. We are the leading regional provider of HIPAA Some of our clients include: INSERT SUITABLE CLIENT LIST HERE Specifically, we offer: Managed IT Services & Network Security. Cloud Backup and Storage. Disaster Recovery. Backing Up & Recovery of protected health information. Emergency Mode Operation planning. Security & Encryption of protected health data. Logging & Archiving with full audit trail functionality using JobTraQ. 10

We are partnered with the leading manufacturers and vendors in the technology field, including: INSERT PARTNER LIST Ensure you fully comply with HIPAA and start with a free consultation from Swift Systems: Email: sales@swiftsystems.com Legal Disclosure Nothing in this White Paper is intended to constitute legal advice. For more information about HIPAA and compliance with HIPAA requirements please consult your legal counsel. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information