Prior to 1996, there were no generally accepted security standards or general requirements within the health care industry for protecting health information. As new technologies evolved, in similar fashion to most other industries, the health care industry began to transition from paper processes to electronic information systems. The sensitive nature of health care brought about new concerns and uncertainties about the privacy of personal health care information.
Through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the federal government mandated the U.S. Department of Health and Human Services (HHS) to develop new regulations to protect the privacy and security of certain types of health information. It’s a complex law with the main premise of organizing health management. Unfortunately, not everyone understands the nuances of the law, which is causing some people to overlook important parts of it. Boards may want to maintain a HIPAA technology checklist to ensure due diligence on their part.
Boards of directors need to understand how they or their organizations may intentionally or unintentionally violate HIPAA provisions to prevent federal fines. In 2015, Jocelyn Samuels, then-director of the Office of Civil Rights, pursued a new phase of audits that resulted in $10 million in fines over HIPAA violations. This is a major reason for boards to set up a HIPAA technology checklist.
HIPAA Has Seven Fundamental Elements of Compliance
The Privacy Rule, which is also referred to as the Standards for Privacy of Individually Identifiable Health Information, outlines the national standards for protecting certain health information.
The Security Standards for the Protection of Electronic Protected Health Information is also called The Security Rule. This part of the law is somewhat similar to The Privacy Rule. It sets the national security standards for certain health information that is held or transferred in electronic form. This part of the law addresses both the technical and the non-technical safeguards by which organizations must abide.
HIPAA contains seven fundamental elements that outline the bare minimum structure of the law. These components are non-negotiable. The seven elements are:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and a compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
The Security Rule requires organizations to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting electronic patient health information (e-PHI).
This mandate requires:
- Ensuring the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit.
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information.
- Protecting against reasonably anticipated, impermissible uses or disclosures.
- Ensuring that their workforce complies with these provisions.
The following are additional items to add to your HIPAA technology checklist:
Risk Analysis and Management
Entities must develop an ongoing risk analysis that includes, at a minimum, these activities:
- Evaluate the likelihood and impact of potential risks to e-PHI.
- Implement appropriate security measures to identify the risks identified in the risk analysis.
- Document your security measures. Provide the rationale for adopting the measures where required.
- Maintain continuous, reasonable and appropriate security protections.
- Implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Designate a security official with responsibility for developing and implementing its security policies and procedures.
- Implement policies and procedures for authorizing access to e-PHI only when access is appropriate according to the user’s or the recipient’s role.
- Authorize and supervise workforce members who work with e-PHI and apply sanctions to workers who violate its policies and procedures.
- Periodically assess how well its security policies and procedures meet the requirements of the Security Rule.
- Ensure authorized access to facilities while limiting physical access.
- Implement policies and procedures to specify proper use of and access to workstations and electronic media. Have policies in place for the transfer, removal, disposal and re-use of electronic media to protect e-PHI.
- Implement technical policies and procedures that allow only authorized people access to e-PHI.
- Implement hardware, software and/or procedural systems to record and examine access and other activity in information systems in regard to e-PHI.
- Implement policies and procedures and electronic measures to ensure that e-PHI doesn’t get altered or destroyed.
- Implement technical security measures that guard against unauthorized access to e-PHI that’s being transmitted over an electronic network.
Required and Addressable Implementation Specifications
Entities under HIPAA must comply with every Security Rule “standard.” Within the standard, the law specifies certain standards as addressable and others as required. Note that addressable doesn’t imply not required. Addressable pertains to standards that are reasonable and appropriate for that entity. Entities may also adopt an alternative measure that achieves the same purpose as long as it’s reasonable and appropriate.
- If a covered entity knows of an activity or practice of the business associate that equates to a breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to correct the breach or violation. This requirement also includes failing to implement safeguards that reasonably protect e-PHI.
- Business associate contracts obligations are listed under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements
- A covered entity must adopt policies and procedures that are reasonable and appropriate to comply with the Security Rule. They must also maintain written security policies and procedures and written records of required actions, activities or assessments for six years after the latter of the date they were created or the date they were last effective.
A covered entity must periodically review and update its documentation in response to environmental and organizational changes that affect the security of e-PHI. A board portal by BoardEffect is very effective in documenting plans for HIPAA rules and is useful for documenting periodic reviews of requirements of the rules.
Federal HIPAA provisions take precedence over state laws. The HHS Office for Civil Rights is responsible for administering and enforcing standards for the Security Rule, and they may conduct complaint investigations and compliance reviews.
The HIPAA law pertains to the full range of health care entities from the smallest to the largest. In order to apply the rules reasonably, HHS recognizes that the rules must be somewhat flexible, as these entities have different resources and solutions. HIPAA doesn’t dictate the exact security measures for entities to use, so that entities can come up with customized solutions. Be aware that HHS will take into consideration your entity’s size, complexity and capabilities, as well as its technical, hardware and software infrastructures and the relative costs of security, when developing your HIPAA technology checklist.