Tag: ePHI

HIPAA Audit Provides Lessons On Risk and Implementation

By Carol Amick, manager of healthcare services, CompliancePoint.

Carol Amick

According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.

According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.

Analyze the past, to avoid making the same mistake twice

It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.

Perform a risk assessment and GAP analysis

One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.

A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.

Continue Reading

HIPAA: A Primer And A Reminder For Those In Healthcare

By Vikash Kumar, manager, Tatvasoft.

A relentless parade of fronts from communication to banking, shopping seems to be unfolded, all thanks to the emerging technology. But somehow healthcare used to stay behind because many of you believed it was too complicated to be fixed. Well, that’s just not true! Now, more than ever, technology has not just succeeded in improving the consumer experience but also has removed the unnecessary cost from the entire healthcare system.

In order to maintain standards of care and improved outcomes for patients, hospitals and medical centers, technology is providing ever-smarter ways like never before. Enacted by the U.S. Congress in 1996, HIPAA was introduced because of the increasing need to address growing technological changes and problems. According to the HIPAA Privacy rule, saving, accessing and sharing of medical and personal information is prohibited. Moreover, it specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically (ePHI — electronic protected health information).

Apart from this, there are a few primary components one needs to be concerned with:

Privacy rules emphasize on what qualifies as PHI (protected health information) and who is mainly responsible for ensuring that nothing would get disclosed improperly. It includes covered entities ranging from health plans to health care clearinghouse, health care providers who have the right to transmit any health information electronically regarding the Department of Health and Human Services (HHS). Other than covered entities, privacy rules even encompass of business associates (anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity).

On the other hand, security rules relate specifically to electronic information and set guidelines for how to secure PHI. Administrative, physical and technical are the three main categories in which it is broken down. As the name implies, administrative revolves around access control and training, physical safeguards are for actual devices, and technical relates to the data itself.

HIPAA Breach Notification Rule is basically a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI and ePHI. This rule, in particular, emphasizes on two kinds of breaches; minor breaches and meaningful breaches. As a result, organizations are required to report all type of breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.

Omnibus Rule: This rule was enacted in order to apply HIPAA to business associates, in addition to covered entities. According to the rule, business associates must be HIPAA compliant.

Continue Reading