If an organisation can access private health data in the form of electronic Protected Health Information (ePHI), they should compile a thorough Health Insurance Portability and Accountability Act (HIPAA) of 1996 compliance checklist. This can help prevent HIPAA violations and thus maintain the integrity of the patient’s private data.
HIPAA violations can lead to financial penalties, mandated corrective action and even criminal charges. Ignorance is not considered an adequate excuse, and breaches must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) within sixty days of its discovery.
A covered entity (CE) is any health care provider, health plan or health clearinghouse that has access to PHI. Hospitals are considered to be CEs, not their employees. A regular employer is not considered a covered entity unless they provide their employees with an Employee Assistance Program (EAP) or other such benefit.
CEs may have “business associates”, a person or business that provides them a service. These may include accountants, email encryption services and lawyers. Before the associates can access PI, they must sign a Business Associate Agreement. After this, they have the same obligation to maintain patient privacy as a CE.
Proposed HIPAA Compliance Checklist
Based on the various sub-categories of the HIPAA legislation, we have proposed the following guidelines on how to best avoid a breach. It is important to point out that, even though some measures are considered “addressable”, they are still compulsory. However, how the CE and their business associates (BA) best decide to enact these policies is at their discretion.
The primary goal of HIPAA legislation is to ensure that CEs and their associates enact technical, physical and administrative safeguards to protect PHI.
Under the HIPAA Security Rule, adequate safeguards must be in place to protect ePHI both whilst it as at rest and in transit. It comes in the form of three main subcategories: technical, physical and administrative measures.
Technical Safeguards concern the technology used to transfer and store PHI. The wording is deliberately vague, with the only requirement being that all data must be encrypted to the standards laid out by the NST. This is so that any breach that happens after the data leaves the company’s firewall and it is violated, the hacker will be unable to read the information. The security requirements are generally seen as “addressable”, and can include the following.
- Means of access control– Each user is given a centrally-controlled username and PIN. Additionally, in an emergency, there must be some means of controlling PHI.
- Mechanisms to authenticate ePHI –Determines whether ePHI has been altered or destroyed in an unauthorized manner.
- Encryption and decryption –Messages must be adequately encrypted when they leave a company’s firewall, but retain the capacity to be decrypted when needed.
- Activity audit controls– Record any attempts to access ePHI and record what is done with that data once it has been accessed.
- Facilitate automatic logoff – Ensure that after a certain time of inactivity, devices are forcibly logged off.
Physical Safeguards are in place to protect the locations where data Is stored or displayed. This may be an off-site data centre, on the premises of the CE or on portable devices and hard-drives.
- Access controls to secure facilities – Record any person who accesses where the PHI is stored.
- Workstation use – CEs must strictly control who has access to workstations where data is stored. This also means ensuring that screens cannot be seen by those in public areas.
- Mobile device security – Ensuring that mobile devices have adequate security to maintain the integrity of PHI is critical.
- Hardware inventory –Maintaining an inventory of what data is stored on what device can help trace breaches if they occur.
Administrative Safeguards are usually detailed by a CE’s Security Officer or Privacy Officer. The main safeguard is conducting continual risk assessments such that policies that ensure best practice can be put in place. From this, training courses for employees can be designed and contingency plans, should a breach occur, can be developed.
HIPAA Privacy Rule
The Privacy Rule sets limits on how and when PHI may be disclosed. It details a patient’s rights over their health data, allowing them to determine how it will be used and who can access it. Under the Privacy Rule, it is advised the CEs provide adequate training to employees and ensure that written permission is obtained before any PHI is used.
HIPAA Breach Notification Rule
Should a breach occur, the CE must notify the OCR within sixty days of the discovery of the breach. If the breach is large, the media must be notified, though if it involves fewer than 500 people, a report on the OCR website will suffice.
Breach notifications typically include the nature of the breach, who accessed the data, how it was used and how the CE reacted to mitigate any damage.
HIPAA Omnibus Rule
The Omnibus Rule is a recent update to the original HIPAA legislation. It was devised to cover all aspects of HIPAA security that was omitted from the first draft of the legislation. There are five key ways in which HIPAA was changed:
- Introduction of the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
- Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
- Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
- Prevented the use of ePHI and personal identifiers for marketing purposes.
These changes require new Business Associate Agreements, updated privacy policies and new staff training.
HIPAA Enforcement Rule
The Enforcement Rule lays out how a CE and their associates should act if a breach occurs. The OCR must be notified within sixty days of any security breach. This can prevent the application of additional fines.