The 411 on HIPAA and HITECH Compliance
Most group practices and clinics have adopted the Electronic Health Record (EHR). If you’re one of these organizations, you know how imperative it is to keep your Protected Health Information (EPHI) safe. Both HIPAA and the HITECH Act lay out very specific requirements about data protection and regardless of your size, you are required to keep your Protected Health Information (PHI) data secure. This is especially imperative if your organization electronically transmits health information for financial or administrative reasons, such as claims processing, benefit eligibility, referral authorization requests, and other transactions defined under the HIPAA Transactions Rule.
3 Areas of HIPAA Compliance
HIPAA compliance is the responsibility of every administrative and clinical staff member in your organization. To make compliance requirements easier to digest, HHS established three areas of HIPAA compliance.
Administrative — These measures ensure the integrity of patient data and accessibility only to authorized parties. It requires HCOs to:
- Implement a security management process that identifies potential risks to EPHI and appropriate security measures to reduce risks and vulnerabilities.
- Designate a security official who is responsible for ensuring HIPAA and HITECH compliance.
- Identify who has authorized access to EPHI.
- Provide appropriate security training to employees and follow through with appropriate sanctions against any employee who violates security policies.
- Perform a periodic assessment to assess the effectiveness of your security policies.
Physical — These measures ensure the security of facilities and devices that contain EPHI. It provides HCOs to:
- Limit physical access to their facilities to authorized personnel only and protect against physical intrusion.
- Ensure secure access to workstations and electronic media. This includes procedures for the transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of EPHI.
Technical — These measures ensure that your IT systems and networks are secure from data breaches and unauthorized access. It requires HCOs to:
- Protect their IT systems against digital intrusion and ensure that EPHI is transmitted over a secure network.
- Only allow authorized individuals to access EPHI and ensure IT systems provide an audit trail to track EPHI access.
- Ensure EPHI is not improperly or erroneously altered or destroyed.
The HITECH Act of 2009 shored up these privacy and security provisions:
- HCOs, business associates, and service providers are all responsible for the security of EPHI.
- HCOs must promptly notify affected individuals whose PHI was compromised.
- HCOs must report any security breach that affects more than 500 individuals to the HHS Secretary.
- HCO business associates must notify the HCO of any breach at or by the business associate.
- Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis.
How to Comply with HIPAA and HITECH Technical Measures
Whether you are a hospital, clinic, medical practice, HCO business associate, or HCO service provider, you will need to address the following in order to comply with HIPAA and HITECH technical measures.
- Develop policies and procedures for data backup and recovery.
- Back up your data on a regular, frequent basis and ensure you can retrieve exact copies of EPHI and restore any lost data. Follow the 3-2-1 backup rule: 3 copies of your data across 2 media with 1 copy stored offsite.
- Establish acceptable but aggressive Recover Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and develop a disaster recovery plan that meets these objectives.
- Periodically test your disaster recovery plan to be sure it works before a real disaster happens.
- Perform an annual risk assessment to determine whether your systems and data are a security risk and how vulnerable you are to attack.
- Develop a data breach response plan to identify who is responsible for what when a breach occurs, how to communicate with individuals whose PHI was compromised, how to handle the media, minimize further data loss, and remediate the breach.
- Encrypt EPHI data in transit and at rest.
- Ensure HCO business associates and service providers meet HIPAA and HITECH security requirements.
If you are found in noncompliance with HIPAA and HITECH regulations, it can cost you. Fines are based on the violation category or level of perceived negligence and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation (see Figure 1).
If you are breached and fined, your organization is listed on the HHS Office for Civil Rights (OCR) Breach Portal and “Wall of Shame” if the breach involves 500 or more individuals. If your organization has a breach of this magnitude, the name of your HCO will be permanently listed.
HCOs have two choices when it comes to ensuring compliance with technical HIPAA requirements: DIY (Do It Yourself) or hire an IT Managed Service Provider (MSP). Whether you are a large or small HCO, you may find that you have limited IT resources and/or skills in-house to ensure your EPHI is private and secure. This is why many HCOs look to HIPAA-compliant MSPs to back up their systems, ensure the privacy of EPHI, and provide the best protection from security breaches.
Figure 1: Categories of Violations and Respective Penalty Amounts Available. Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95