HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1
Contents HIPAA Compliance and the Protection of Patient Health Information... 1 Introduction... 3 Risks... 3 HIPAA Objectives... 3 Covered Entities... 4 Business Associates... 4 Penalties for Non-Compliance... 4 Criminal Penalties... 5 Civil Penalties... 5 Impact on Business... 5 The HIPAA Security Rule... 6 Security Rule Requirements... 6 Security Measures... 6 The Contingency Plan... 7 The HIPAA Omnibus Rule... 8 Definition of Business Associates... 8 The Conduit Exception... 9 Business Associate Agreement & Mandatory Provisions... 10 Swift Systems Solution for HIPAA Compliance... 10 Legal Disclosure... 11 2
Introduction As technology moves forward at an ever faster pace, patient privacy has taken center stage and especially the concerns surrounding Digital security. Increasingly, digital record keeping has become the de facto norm for medical practices, and with Digital record keeping, healthcare organizations must be aware of the associated risks. Risk mitigation is crucial to protect both patients and healthcare organizations alike. Risks Risks associated with Digital record keeping include: The risk of a disaster resulting in physical damage to the integrity of patient data or outright loss. Corruption or loss of patient data by viruses or malware. Theft or corruption of patient data by hackers or physical intruders. Theft or corruption of patient data by internal staff. Accidental loss or theft of Mobile devices, such as laptops and tablets, containing patient data. HIPAA Objectives The Health Insurance Portability and Accountability Act ( HIPAA ) was enacted by Congress in 1996, and with the advent of this legislation, a set of universal standards was introduced to hold healthcare providers accountable for the safety of patient data. HIPAA s core objectives were to mandate patient confidentiality while promoting the portability of their records, with appropriate access to patient records amongst authorized healthcare providers and ancillary persons. Consistency was also a goal of HIPAA, not only across the healthcare industry, but also within individual provider s operations. 3
The ultimate objective of HIPAA is the protection of healthcare systems containing patient data, and promoting patient confidence in the integrity and security of their private information. Covered Entities A Covered Entity defines who must comply with HIPAA provisions: typically, any health care provider, health plan or clearinghouse who captures, stores or transmits patient records by Digital means. A Covered Entity must institute appropriate measures to protect patient data privacy, including physical, technical and administrative safeguards. Specifically, a Covered Entity must, amongst other things, establish: A Data Backup Plan. A Disaster Recovery Plan. An Emergency Mode Operation Plan. HIPAA provided for a compliance regime, together with penalties for violators. Penalties were increased and broadened in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health Act ( HITECH ), which also broadened the range of violations and entities covered by HIPAA, e.g. business associates of medical practices. Business Associates Business Associates are defined to include vendors and providers of Electronic Health Records (EHR), and there is also the possibility for other parties to be held accountable under HIPAA. Compliance with HIPAA demonstrates your commitment to patient privacy and confidentiality, as well as your direct commitment to prevention of patient information by security breach and ensuing financial loss. Penalties for Non-Compliance Penalties for non-compliance with HIPAA are severe, and are divided into Criminal and Civil penalties: 4
Criminal Penalties Fines ranging from $50,000 to $250,000. Jail terms ranging from one year to 10 years in prison. Civil Penalties Where willful neglect is demonstrated, penalties include fines up to $250,000 through to $1.5 million for repeat violations (including where a prior violation has not been corrected). Impact on Business Aside from the civil and criminal penalties which may be levied for violations, there is the considerable risk of losing patient business, commercial partnerships, and the attendant negative publicity. 5
The HIPAA Security Rule The HIPAA Security Rule covers all patient health data transmitted or stored in an electronic format or managed on electronic media. Security Rule Requirements 45 CFR 164.306 requires Covered Entities to: Protect patient data and electronic systems handling patient data from any reasonably anticipated threats which may affect the security of patient data. Protect the confidentiality, integrity and the availability of patient data stored or transmitted electronically, including when patient data is created or received by the Covered Entity as well as when stored or transmitted. Protect against unauthorized disclosure or misuse where such acts can be reasonably anticipated. Subpart E also stipulates what patient data is REQUIRED to be protected, irrespective of the reasonable anticipation language. Establish and enforce staff compliance with this subpart. Security Measures HIPAA provides a degree of flexibility for Covered Entities in how they implement these requirements. The language is clear in this through the use of phrases such as reasonably anticipated, which means specific security measures and procedures are left to the Covered Entity to determine. This naturally requires the Covered Entity to understand what security measures and protocols are available, and more particularly, what threats can be reasonably anticipated. The decision as to which security measures are to be implemented by the Covered Entity must consider the following: Existing infrastructure, including hardware and software and attendant security protections already afforded. 6
The size and complexity of the Covered Entity s operations, including their capabilities. Potential risks to patient data, together with an intentional assessment of the probability and criticality of any potential risk which can be reasonably anticipated. The Contingency Plan Covered Entities must also comply with the Security Rule s requirement to back up and protect electronic data. This includes the formulation and implementation of a Contingency Plan to be invoked in the event of a disaster or breach which may result in major loss of data. The Contingency Plan requirements are contained in Administrative Safeguards 164.308(a)(7)(i): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information The Contingency Plan MUST be implemented using the following: REQUIRED Data Backup Plan the Covered Entity MUST establish and implement a Data Backup Plan to include the creation and maintenance of retrievable and exact copies of protected health data stored, transmitted or maintained in an electronic format. REQUIRED Disaster Recovery Plan the Covered Entity MUST establish and implement a Disaster Recovery Plan to recover any loss of protected information or data. REQUIRED Emergency Mode Operation Plan the Covered Entity MUST create and implement an Emergency Mode Operation Plan to ensure business continuation for critical business processes to ensure continuing security of protected health information and data during operations in emergency mode. Physical Requirements which MUST be complied with include: 7
o Physical Safeguards - 164.310(a)(1) physical access to electronic systems MUST be limited by policies and procedures, and also includes restriction of access to the facilities within which electronic systems are situated such that only authorized access is permitted. o Facility Access during a Disaster or Emergency 164.310(a)(2)(i) procedures shall be created and implemented to facilitate access to any facility where such electronic systems are situated when executing either the Disaster Recovery Plan or Emergency Mode Operations Plan. Technical Safeguards - 164.312 Covered Entities must also adopt specified technical safeguards to cover the following (refer to 164.312 for a full list): o Encryption and decryption of protected data. o Limitation of access to protected data. o Audit controls to record and monitor system activity containing or using protected data. o Technical security measures to protect against unauthorized access to protected data during transmission over an electronic communications network. Covered Entities should therefore assess and evaluate their electronic systems and secure electronic protected health information. This includes the deployment of a secure backup, archiving and retrieval solution to ensure full compliance with HIPAA. The HIPAA Omnibus Rule New privacy rules were introduced and became effective January 17, 2013 and are collectively known as the HIPAA Omnibus Rule. The HIPAA Omnibus Rule extends some of the rules to Business Associates of Covered Entities. Definition of Business Associates The Department of Health and Human Services (HHS) defines Business Associates, and some examples are: 8
A firm of IT consultants who manage IT infrastructure or provide network management services, and who may have access to patient health information in the performance of their duties under the contract. A firm of accountants who provide services to healthcare providers and which involves access to protected patient information. Healthcare clearinghouses who convert non-standard formatting of a claim into a standardized version for onward transmission to the payer. A consultant (person or organization) who conducts utilization reviews for a healthcare provider. Third party medical transcription service providers performing work for a medical practitioner. A benefits manager or administrator who manages a pharmacist network on behalf of a health plan provider. A lawyer acting for a healthcare provider and who has access to protected patient information. Third party claims processors. Click this link for detailed information on the HHS website. The Conduit Exception The Conduit Exception allows for an exemption for Business Associates who are providing a courier service, such as the U.S. Postal Service, FedEx or UPS. Incidentally, the Conduit Exception also applies to Internet Service Providers (ISPs) where they are only providing data transmission services. The underlying principle is that a conduit simply carries data or information, but does not have access to it except only as required to perform transmission or transport to the intended destination (unless otherwise required by law.) The Conduit Exception forms part of the Omnibus Rule, and an important amendment was to remove the old exemption for Business Associates who are providing cloud backup or data storage services. These providers are now specifically classified as Business Associates and are caught by HIPAA provisions. 9
Business Associate Agreement & Mandatory Provisions These provisions include the mandatory requirement they sign a Business Associate Agreement with the Covered Entity they provide services to. HHS REQUIRES the following contractual provisions: A provision the Business Associate will NOT use or disclose protected health data for any other purpose except as proscribed by law or for the purposes of carrying contractual provisions. A provision that the Business Associate will also adopt and take suitable precautions and safeguards to prevent unauthorized use or disclosure of protected health information, except as laid out in the contract. Swift Systems Solution for HIPAA Compliance Swift Systems has over 15 years of experience working with healthcare providers, and their Business Associates, in implementing and maintaining state-of-the-art IT systems to ensure compliance with HIPAA. We are the leading regional provider of HIPAA Some of our clients include: INSERT SUITABLE CLIENT LIST HERE Specifically, we offer: Managed IT Services & Network Security. Cloud Backup and Storage. Disaster Recovery. Backing Up & Recovery of protected health information. Emergency Mode Operation planning. Security & Encryption of protected health data. Logging & Archiving with full audit trail functionality using JobTraQ. 10
We are partnered with the leading manufacturers and vendors in the technology field, including: INSERT PARTNER LIST Ensure you fully comply with HIPAA and start with a free consultation from Swift Systems: Email: sales@swiftsystems.com Legal Disclosure Nothing in this White Paper is intended to constitute legal advice. For more information about HIPAA and compliance with HIPAA requirements please consult your legal counsel. 11