With anything that’s complex and multi-faceted, it is not always easy to explain it to others. Oddly enough, it sometimes seems especially difficult to convey ideas when we are highly trained in the subject. We start to take the broader, basic-to-intermediate knowledge we have for granted, glossing over it as we focus at a higher level. Conversely, when we are learning about something new, it helps when we can get simplified, “boiled-down” essentials without any unnecessary legal jargon or other distractions. Well, here is an attempt to get to the essence, a Quick-Start Guide of sorts for HIPAA compliance that should only take you another 270 seconds or so to read. Forgive the lack of transitions from here forward – nuts and bolts only!
What is HIPAA?
HIPAA is shorthand for the Health Insurance Portability and Accountability Act, a federal law that was signed by US President Bill Clinton in August 1996. The law has a wider scope than you might think. Title II is the section of HIPAA that is especially pertinent to healthcare IT settings and the general realm of patient data, but there are actually five titles:
- Title I – Alters the law for group insurance plans, related to employee transitions and lifetime maximums
- Title II, the Administrative Simplification provisions – Gives authority to the HHS (Health & Human Services) Department to create and enforce healthcare privacy and security rules
- Title III – Revises the tax law that is associated with medical treatment
- Title IV – Contains additional insurance law updates, with portability and pre-existing-condition safeguards
- Title V – Modifies the law on business-owned life insurance and income-tax rules for when a person loses their status as a US citizen.
What is HIPAA Administrative Simplification?
HIPAA Title II is also called the Administrative Simplification provisions. The five essential aspects of this part of the legislation are:
- National Provider Identifier (NPI) Standard – Mandates 10-digit provider IDs
- Transactions and Code Sets Standards – Establishes objective protocols for electronic data interchange
- Privacy Rule – States the expectations for organizations to keep patient data private
- Security Rule – Gives guidelines to secure electronic protected health information (ePHI)
- Enforcement Rule – Stipulates how an investigation should be conducted of HIPAA covered entities and business associates.
Difference between covered entity & business associate
Who has to follow HIPAA? The parties that must meet the demands of the law have two names: covered entity and business associate. Note that the line between these two roles has become blurred and really less important since the HIPAA Omnibus Rule, or Final Rule, went into effect on September 23, 2013. Previously, business associates did not have direct responsibility to meet HIPAA parameters as covered entities did; now they do. With that said, here are basic definitions:
- covered entity – any health care plan, medical provider, or health data clearinghouse (e.g. insurance carrier, government agency, doctor’s office, hospital, university medical center)
- business associate – any organization that is not a covered entity but conducts activities which involve the handling of individually identifiable health data (e.g. attorneys, accountants, shredding firms, web hosting companies).
To put it another way, business associates are third parties that work with healthcare data while performing a service for the covered entities, which are the core types of organizations upon which the law has the most central impact.
What is the HIPAA Omnibus Rule or Final Rule?
While the core principles and practices of the original HIPAA are still in effect, the Final Rule was really kind of far-reaching in its modifications. At least on a surface level, that’s understandable given the fact that HIPAA was written and enacted back in the mid-1990s, and the digital era has transformed incredibly in the meantime.
Here are five of the most important ways that the Omnibus Rule updated HIPAA:
- Broadened privacy and security rules related to protected health information (PHI) of patients
- Standardized the assessment of liability in the event of a data breach
- Expanded the Privacy Rule to specifically address genetic data
- Brought the way that the Office for Civil Rights (OCR) enforces the Security and Privacy Rules in line with the HITECH Act’s stipulations for electronic health records (EHR).
- Adjusted the law so that business associates, and even their subcontractors (well, those that handle patient data), are now directly responsible for meeting the provisions of HIPAA.
What is HITECH?
HITECH, the Health Information Technology for Economic and Clinical Health Act, was signed by US President Barack Obama on February 17, 2009. This legislation was part of the 2009 Recovery Act (officially the American Recovery and Reinvestment Act, or ARRA).
The agency that enforces HITECH is the Office of the National Coordinator for Health Information Technology (ONC); so basically, that agency serves a similar function related to HITECH as what the Office for Civil Rights (OCR) does related to HIPAA.
Under HITECH, it’s necessary for healthcare providers to be able to show that they are practicing “meaningful use” of EHR systems. This legislation is not as relevant to choosing healthcare IT providers since it’s more about ensuring adoption of the electronic model than it is about regulating how data is protected within that context.
HIPAA best practices
Here are a few strategies recommended by Raj Chaudhary, director of Crowe Horwath’s security and privacy services group:
Logins/passwords – Make sure that you are only giving user accounts to people who need them, and that you are only providing levels of access that are appropriate given the role. Also, take care that all passwords are complex and that any defaults are quickly replaced.
Monitoring your monitoring – If you want to maintain compliance, a main point of focus should be PHI access, as indicated by logging. Plus, create rules and then analyze the information to check that your access controls are working.
Multi-layered access safeguards – Your login credentials will protect you at the level of the network. However, problems can arise at the software layer; maintain HIPAA compliance there too. Also, consider lockout after a certain number of login attempts.
Business associate management – Covered entities should be conscientious when they are selecting service providers, as should business associates when they are hiring subcontractors. Read your business associates agreements (BAAs) carefully. Here is Chaudhary’s 4-step plan to review and manage relationships with business associates (yes, that’s right, a list within a list):
- Sign a solid BAA with each vendor.
- Prioritize the “minimum necessary” aspect of the Privacy Rule – that you should strictly limit data disclosure.
- Complete a performance assessment.
- Check that vendors are maintaining compliance with the BAA annually, and keep the BAA itself updated.
Business continuity & incident response – Your business continuity plan should be extensive and include full guidelines for incident response. Start out with a business impact assessment. From that process, develop your business continuity plan. Finally, take the business continuity plan and use it to formulate your disaster recovery (DR) plan. When putting together your business continuity plan, be sure to focus sufficiently on the people. Who is responsible for doing what when a disaster occurs? Your business impact should be focused on recovery time objectives for mission-critical systems.