How do you comply with the Health insurance Portability and Accountability Act (HIPAA)? This article covers the four basic elements of the regulations. It also discusses myths associated with the basic compliance testing method, security risk analysis – most notably that a HIPAA risk analysis checklist is insufficient for compliance.
- Transaction Standards
- Privacy Regulations
- Security Regulations
- Breach Notification Regulations
- 10 Myths About Security Risk Analysis
- Fully Qualified Business Associates
Here are the three basic sections of the HIPAA rules that covered entities and business associates must follow in order to be considered in compliance with the law – although the third section is the most relevant one for business associates.
These standards direct healthcare organizations to use uniform standards for digital insurance claims, codes that directly match those used by other providers, and unique identifiers (sets of numbers that stand in for the name of the provider or individual).
These provisions, the initial effort to develop HIPAA safeguards, discuss access to and disclosure related to protected health information (PHI); establish expectations of providers for giving patients privacy policies, details on how data is shared, and instructions to access, look over, retrieve, and modify their health records; and talk about the need for permission from patients for any use of their data.
The Oregon Association of Hospitals and Health Systems describes these HIPAA safeguards: “The security regulations dictate the kind of administrative procedures and physical safeguards covered entities must have in place to ensure the confidentiality and integrity of protected health information.”
Again, this section is the most critical for business associates such as Web hosting businesses, accountants, and any other companies or individuals that have access to protected health information, regardless whether they actually look at it. As of the enactment of HITECH’s Final Omnibus Rule (September 2013), business associates have been responsible for meeting the so-called Security Rule – the quasi-official nickname that has been given to these HIPAA safeguards. In fact, even business associates’ subcontractors now must meet the security guidelines enforced by the Office for Civil Rights.
Breach Notification Regulations
Finally, the Department of Health and Human Services stipulates that all providers, health plans, and data clearinghouses that handle PHI must immediately alert anyone whose health information is compromised. The HHS Secretary must be contacted as well, along with major media outlets when the population of people affected is 501 or more.
“Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis,” adds DHHS. “The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.”
10 Myths About Security Risk Analysis
In its efforts to clarify proper HIPAA safeguards and refute the idea that a HIPAA risk assessment checklist suffices for compliance, HealthIT.gov discusses common myths related to these vulnerability tests on one of its SRA tool download pages. They are:
Myth #1 – It’s unnecessary for small covered entities.
Fact: It’s necessary for 100% of covered entities.
Myth #2 – Implementing a federally certified EHR system meets the parameters of the security risk analysis MU.
Fact: Regardless your technology for electronic health records, protected health information includes data beyond EHRs.
Myth #3 – EHR business associates are fully responsible for the compliance of their products.
Fact: Business associates can give you guidance related to the technology’s HIPAA safeguards, and they must maintain compliance themselves. But you must double-check their products with a risk assessment.
Myth #4 – These analyses must be conducted by outside parties.
Fact: You can achieve compliance by assessing vulnerability yourself, but it is wise to hire an expert to help if you don’t feel your internal team is knowledgeable on the process.
Myth #5 – A HIPAA risk analysis checklist is acceptable for compliance.
Fact: “Checklists can be useful tools, especially when starting a risk analysis,” says HealthIT.gov, “but they fall short of performing a systematic security risk analysis or documenting that one has been performed.”
Myth #6 – There’s only one standard, accepted way to assess risk.
Fact: Many methods meet compliance guidelines, but the OCR’s “Guidance on Risk Analysis Requirements” document can help to establish reasonable HIPAA safeguards.
Myth #7 – Analyses can be limited to EHR.
Fact: All computers and other hardware that comes into contact with PHI – including photocopiers – should be checked and tested. Note that the most common violation is unencrypted laptops.
Myth #8 – Risk assessment is a one-time event.
Fact: The Security Rule requires ongoing monitoring and adaptation. For further information, see the “Reassessing Your Security Practices” guide on HealthIT.gov.
Myth #9 – To qualify for EHR incentives, you must correct vulnerabilities prior to attestation.
Fact: Whatever problems are discovered during the risk assessment should be corrected during the reporting period.
Myth #10 – The risk assessment must start over from scratch annually.
Fact: You tweak it as you go. “Perform the full security risk analysis as you adopt an EHR,” explains HealthIT.gov. “Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.” (Note that the MU incentives necessitate one analysis per reporting period for eligible professionals.)
Fully Qualified Business Associates
If you’ve reached the bottom of this article, you’re obviously concerned that your organization doesn’t make any mistakes related to HIPAA compliance or security risk analyses. One of the best ways to protect yourself is by working with credible business associates with strong experience. Atlantic.Net offers award-winning HIPPA Compliant Hosting on state-of-the-art SSD Cloud Servers.
When asked why Complete Healthcare Solutions trusts Atlantic.Net with its IT systems, VP of product development Joseph Nompleggi said, “Our partner’s financial strength and proven track record are something we view with great confidence.”