The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It’s also known as the Kassebaum–Kennedy Act and Kennedy–Kassebaum Act after its two leading sponsors. It consists of five titles, with the first two having the greatest relevance for covered organizations. Title I deals with continuing coverage for health insurance when workers change or lose their jobs. Title II, also known as the Administrative Simplification provisions, mandates national standards regarding electronic protected health information (EPHI).
Title II applies to “covered entities” as defined by HIPAA, which generally includes any organization that handles EPHI in a manner regulated by HIPAA. Covered entities include health care providers, health care insurers, billing services for health care and community health care systems. Title II consists of five rules including the Privacy Rule, the Security Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule and the Enforcement Rule. The Security Rule generally accounts for the majority of effort by covered entities with respect to compliance.
The Security Rule was issued in 2003 and took effect later that year. The compliance date for most covered entities was 2005, although entities with “small plans” weren’t required to comply with the Security Rule until 2006. The Security Rule specifically applies to EPHI and classifies security practices into the following categories:
Administrative safeguards require covered entities to clearly document the policies and procedures that will allow them to comply with HIPAA requirements. These entities must appoint a privacy officer who will be responsible for developing and implementing a set of written policies and procedures. The procedures must identify the classes of employees who are allowed access to EPHI. These employees must require such access as an essential part of their job function. The administrative safeguards must also address the authorization, creation and modification of EPHI access as well as the termination of employees for violating HIPAA regulations.
Covered entities must demonstrate that employees with access to EPHI receive ongoing training on the proper handling of this information. Entities that outsource work to a vendor must also ensure those vendors develop a framework for complying with HIPAA requirements. Client organizations typically obtain this assurance with contractual terms that require the vendor to meet the same HIPAA requirements as the client. These terms must be carefully constructed to ensure they apply to any of the vendor’s subcontractors.
The administrative safeguards also require covered entities to develop contingency plans for responding to emergencies. These plans will primarily consist of data backup procedures and the procedures for recovering data in the event of a disaster. A disaster recovery plan (DRP) should include the prioritization of data, development of testing activities and the procedures for analyzing failures. It should also include procedures for controlling changes to the DRP.
HIPAA compliance requires covered entities to perform internal audits for the purpose of identifying possible security violations. Audit procedures should document the frequency and scope of the audits, which the entity should perform on both a routine basis and in response to a specific event. These procedures should also provide instructions for responding to any security breaches that are discovered during an audit or in the course of normal operations.
Physical safeguards generally refer to methods of controlling physical access to EPHI. These safeguards must carefully control and monitor access to hardware containing EPHI, since such access must be limited to authorized personnel. Physical safeguards also include procedures for installing and removing hardware and software. The removal of hardware is particularly problematic, since such equipment must be properly disposed of to prevent the compromise of EPHI.
The documentation for physical safeguards includes security plans and maintenance records for the facility in addition to the procedures for signing in visitors and escorting them. Covered entities must also provide procedures for the proper use of workstations, which should include placing them only in low-traffic areas and positioning monitors so they can’t be directly viewed by the public. Covered entities must ensure that contractors and other third parties receive appropriate training on their responsibilities regarding the physical access of EPHI.
Technical safeguards control access to information systems that contain EPHI, which generally means protecting those systems from intrusion. These safeguards also include measures to prevent third parties from intercepting EPHI when it’s transmitted through a network. Covered entities must encrypt EPHI when transmitting it through an open network. Transmission through a closed network doesn’t require EPHI to be encrypted, since HIPAA considers the existing access controls for those networks to be sufficient. Technical safeguards also include procedures to prevent EPHI from being used for purpose not related to health.
Covered entities must ensure that the EPHI stored in its computer systems isn’t changed in an unauthorized manner. They must corroborate data to ensure its integrity, which typically involves methods such as check sums, digital signatures, double-keying and message authentication. Covered entities must also authenticate the entities that receive EPHI by using methods such as two-way handshakes, passwords, telephone callbacks and token systems.
Technical safeguards require covered entities to document their HIPAA practices and provide such documentation to government authorities for the purpose of verifying compliance. This documentation should also include the configuration settings for all of the covered entity’s information systems. This requirement will typically involve regular updates to the documentation due to the highly dynamic nature of configuration settings. Covered entities must also document their procedures for performing risk management and risk analysis. This requirement includes an analysis of the operational risks of implementing the systems needed to comply with HIPAA requirements.
I.S. Partners, LLC can assess your procedures for ensuring the confidentiality, integrity and availability of EPHI. This assessment will help you take the steps needed to avoid security breaches and possible penalties. Call us at 215-675-1400 or request a HIPAA Compliance quote today.