Strategic Management’s knowledge and experience in HIPAA and HITECH centers on the importance of understanding and incorporating the regulatory compliance requirements into an existing organizational strategy and compliance infrastructure. Since the initial draft of the HIPAA Privacy and Security Rule was released, our team has provided research, analysis, and program support on privacy and security rules and requirements to a number of organizations including both commercial sector entities and government agencies.
Specifically, our experience includes developing privacy research briefs, educational programs, and project tracking tools for the Department of Defense Military Health System, where we trained over 700 MHS Project Officers, Privacy Officers and other MHS officials in HIPAA requirements, and supported the HIPAA compliance progress of over 100 military treatment facilities.
Strategic Management also conducted HIPAA implementation progress reviews for the Office of Personnel Management Federal Employee Health Benefit Program (FEHBP) contractors, and has supported hundreds of private sector health care organizations in the development, assessment, and management of their privacy and security compliance programs.
Continue reading to learn more about how we have helped other health care entities and what we can do for your organization. If you would like to speak with a member of our HIPAA compliance team, you can call Catie Heindel at (847) 256-2323 or you can click here to fill out our online form.
Overview of the Health Insurance Portability and Accountability Act (HIPAA)
With a growing reliance on information technology in the health care industry and the adoption of electronic medical records (EMRs), it is crucial to ensure the safe handling of sensitive data. The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules define requirements for the appropriate use and safeguards of protected health information (PHI). The standards under the HIPAA Privacy and Security Rules provide patients with access to their medical records and more control over how their personal health information is used and disclosed by health care providers, health plans, and health care clearing houses, collectively referred to as “covered entities.”
The regulations protect medical records and other individually identifiable health information, whether it is on paper, electronic, or orally communicated. In February 2009, the Obama Administration enacted the American Recovery and Reinvestment Act (ARRA) which contained the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. The HITECH provisions include updates to the HIPAA Privacy and Security standards and were enacted to further strengthen the privacy and security of PHI.
HIPAA Privacy Rule
While the Security and Privacy Rules both share the common goal of safeguarding PHI, the Privacy Rule applies to all media types including paper, oral, or electronic. The Privacy Rule requires covered entities to consider the confidentiality, integrity, and availability of PHI. Examples of key provisions under the Privacy Rule include:
- Access to Medical Records
- Notice of Privacy Practices to Patients
- Limits on Use of Personal Medical Information
- Prohibition on Marketing Patient Information
- Confidential Communication between Patients and Physicians
The Privacy Rule requires covered entities to adopt and implement procedures regarding the use and disclosure of PHI. The use and disclosure of PHI can be categorized into the following categories: Required Disclosures; Permitted Uses and Disclosures; and Authorized Uses and Disclosures. Below is an overview of the various uses and disclosures of PHI according to the HIPAA Privacy Rule.
- Required Disclosures. Covered entities are required to disclose PHI to an individual or his or her personal representative when the individual requests to access their PHI or receive an accounting of disclosures of their PHI. In addition, if HHS is conducting an investigation, review, or an enforcement action, covered entities are required to disclose PHI to the agency.
- Permitted Uses and Disclosures. Covered entities may use and disclose PHI without an individual’s authorization in the following situations:
- To the individual who is the subject of the PHI;
- An individual is given an opportunity to agree or object to the use or disclosure. This is common practice for facility directories;
- Uses and disclosures that occur “incident to” a permitted use or disclosure; For the purposes of treatment, payment, and health care operations (TPO);
- For public interest and benefit activities such as judicial and administrative proceedings, victims of abuse, neglect, or domestic violence; and
- Limited data for the purpose of research, public health or health care operations.
- Authorized Uses and Disclosures. Covered entities must obtain an individual’s written authorization for use or disclosure of PHI that is not for TPO, permitted, or required by HIPAA Privacy Rule. This includes but not limited to psychotherapy notes (Note: there are exceptions, see HIPAA Privacy Rule for additional information) and marketing.
It is important to note that when a covered entity uses or discloses PHI, the organization must abide the Privacy Rule “minimum necessary” requirement. This provision mandates that covered entities make a reasonable effort to use, disclose, and request only the necessary information, required to complete the task at hand.
HIPAA Security Rule
The Security Rule’s focus is on the safeguarding of electronic PHI (ePHI). The Security standards are organized into three categories: Administrative Safeguards; Physical Safeguards; and Technical Safeguards. A brief description of each safeguard is provided below:
- Administrative Safeguards refers to the covered entities’ policies and procedures established to protect the confidentiality and availability of ePHI. HIPAA requires covered entities to implement administrative safeguards including procedures for internal risk assessments, policies to control employee access to ePHI, and contingency plans to secure ePHI during emergencies.
- Physical Safeguards refers to the covered entity’s physical access to health information, including information technology systems, filing systems, and storage areas. To meet HIPAA standards, covered entities must use physical safeguards such as equipping data centers with adequate locks and monitoring the use and location of all electronic hospital equipment containing patient information.
- Technical Safeguards refers to covered entities’ security of wireless communication and information systems. Covered entities are required under HIPAA to limit access to ePHI only to persons who require such information to fulfill their employment obligations.
Within these HIPAA Security Safeguards there are 18 standards and 36 implementation specifications. Implementation specifications are further categorized into “Required” and “Addressable.” Required specifications are critical and must be implemented. While “addressable” specifications are considered scalable and are based on the individual needs and practices of an entity.
Overall, the take home message to covered entities is that you are under increased pressure to improve the privacy and security of PHI. Notably, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) charged with implementing and enforcing the HIPAA standards, is currently reviewing covered entities’ compliance with the HIPAA Privacy and Security Rules and breach notification standards under the HITECH Act.
During the course of 2012, OCR intends to audit 150 health care entities and assess the organization’s internal controls and safeguards that protect patients’ health information. OCR states that the audits’ results will be used to understand cover entities’ HIPAA compliance efforts and determine what type of additional guidance is needed for organizations to comply with the rules. However, covered entities can be subject to possible fines and penalties if OCR identifies significant deficiencies that warrant further evaluation. To avoid such implications, covered entities must ensure that they have adopted and implemented the appropriate safeguards to comply with all federal and state HIPAA regulations.