HIPAA Compliance – Introduction & Pointers

Introduction

Protecting the confidentiality, integrity and availability of patient information by healthcare organizations became a legal requirement via the Health Insurance Portability and Accountability Act, (HIPAA), which came into enactment in 1996.

HIPAA is a federal law, designed to protect the privacy of individually identifiable patient information, both physically and electronically. It provides continuity and Portability of health benefits to individuals in between jobs and also provides measures to combat fraud and abuse in health insurance and health care delivery (Accountability).

Applicability

HIPAA is applicable to 3 Covered Entities (CE). They are:

• health care providers who transmit information electronically (e.g., physicians, hospitals)
• health care insurance companies; and
• health care clearing houses (facilitators for processing of health information for billing purposes)

What is Protected Health Information (PHI)?

It is the individually identifiable health information about a patient. It includes the physical or psychological status of an individual, whether past, present, or future, that is created, collected, or is in the custody of a functional entity such as health plan providers, schools, universities, hospitals, etc. It can be in any form -> written (reports, charts, x-rays, letters, messages, etc.), oral (phone calls, meetings, informal conversations, etc.) or electronic (computer records, faxes, voicemail, PDA entries, etc.). Examples can be:

• Name, photograph, date of birth
• Social security number, Passport number
• Physical and mental condition
• Address, telephone number, email, FAX
• Admission date/information, medical record number, individual’s healthcare payments
• Finger prints, health status, diagnosis, clinical records

Sub-divisions of HIPAA

HIPAA is broken into 2 Titles:-

Title I: Health Care Access, Portability, and Renewability

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform, is broken into 5 rules. These rules include: The Privacy Rule; The Transactions and Code Sets Rule; The Security Rule; The Unique Identifiers Rule; and The Enforcement Rule.

Out of the five rules, the two most important and applicable ones are The Security Rule and The Privacy Rule.

HIPAA Security Rules ensure CIA of all electronic PHI (ePHI). Key concepts of the Security Rule are as follows:

• Principle based – all entities are required to comply with a series of security best practices and principles
• Reasonableness – appropriate measures must be taken to mitigate all reasonably anticipated risks
• Full Compliance – all company employees must comply with all the rules
• Documentation – formal documentation and approval of processes, policies and procedures
• On-going Compliance – regular security training is needed and policies to be revised as and when necessary

The Security Rule consists of 3 sets of requirements, which are as follows:

1. Physical Safeguards – meant to protect a CE’s ePHI from unauthorized physical access

• Facility access controls
• Workstation use
• Workstation security
• Device and media controls

2. Technical Safeguards – for the use of technology to protect ePHI, mainly controlling access to it

• Access control
• Audit controls
• Integrity
• Person or entity authentication
• Transmission security

3. Administrative Safeguards – to create a strong security foundation focusing on internal organization, policies, procedures and maintenance of security measures that protect PHI

• Security management process
• Assigned security responsibility
• Workforce security
• Information access management
• Security awareness and training
• Security incident procedures
• Contingency plan
• Evaluation
• Business associate contracts and other arrangements

CEs must maintain all documentation (e.g., policies & procedures) required by the Security Rule for a period of 6 years from the date of its creation or the date when it last was in effect, whichever is later.

5. Compliance

5.1 How can we help

Regardless of size or complexity, if an organization is a CE, there are 8 key steps it should consider when preparing to comply with the Security Rule.

1. Obtain and Maintain Senior Management Support
   Compliance requires substantial time and resources; and hence awareness and education of the Senior Management about the Security Rule is absolutely essential, to have their continual support throughout the compliance process. This is where NII’s role comes in – educating senior management about the necessity of HIPAA compliance; presenting them with the hostile consequences of non-compliance; explaining them how the Senior Management of CEs that do not comply with the Security Rule would fall in the limelight of auditors, lawyers and unhappy patients, leading to loss of goodwill; and also, as the compliance efforts progress, keeping the senior managers informed and up-to-date.
2. Develop and Implement Security Policies & Procedures
   The first step, even before implementing security processes and techniques to protect ePHI, is to carefully identify and define what security policies and procedures are needed to be developed and implemented for a particular CE. NII’s role would be to conduct a comprehensive gap analysis to understand the existing organizational environment and then to come up with the required policies for that organization, in order to achieve compliance. These would help define the organization’s security related strategic goals by providing an overall security framework, and would provide a baseline for the selection and use of its security technologies.
3. Conduct and Maintain Inventory of ePHI
   Ensuring the CIA of ePHI becomes difficult, if it can’t be located. So this task of regularly identifying and documenting the flow of ePHI throughout the organization is to be done by NII. Certain points which would be checked during this process are – whether there is regular exchange of its ePHI with any of the business partners, does any information system regularly send ePHI to any other information system, does the organization regularly send its ePHI over the Internet, etc.
4. Be Aware of Political and Cultural Issues Raised by HIPAA
   Compliance with the Security Rule also requires significant changes in the organizational culture, particularly the way in which employees interact with ePHI.For example, the development of new policies and procedures requiring monitoring and auditing of employee actions; or the changes to a CE’s access control policy leading to the fact that employees, who had unrestricted access to ePHI previously, may now have only limited access. Such changes might arouse confusion, resistance or even ego/political clashes within the organization.These issues can be mitigated by educating the employees about the requirements of the Security Rule, about the importance of protection of ePHI, and the methodology to be taken by the organization to comply with the rule. This entire exercise would be done by NII, in the first phase of the compliance process. Additionally, to have a better approach, soliciting feedback from employees and review on proposed security policies and processes could also be done as a part of this exercise.
5. Conduct Regular and Detailed Risk Analysis
   • Build the probable realistic threat scenarios that threaten patient data
   • Determine the likelihood and magnitudes of threat realization
   • Prioritize a set of the most cost-effective safeguards for the operation
6. Determine what is Appropriate and Reasonable
   Using the risk documentation from the Risk Analysis process, NII would propose security controls that can mitigate or eliminate the identified unacceptable risks to ePHI. These controls would reduce the risk levels of ePHI and related information systems to an acceptable level. These recommended controls would then be evaluated; when the CE moves into the phase of risk mitigation.
7. Documentation
   The Security Rule needs CEs to formally document a wide range of security policies and procedures, which have to be approved by the Senior Management and regularly reviewed and revised as necessary. A CE with nil or limited documentation would be at significant risk when visited by an auditor or a lawyer. They would also want to compare the organization’s security policies against the industry best practices and also see documentation of the addressable implementation specification decisions, which the organization makes. This entire documentation would be taken care by NII.
8. Prepare for on-going compliance
   CEs should comply with the Security Rule on a continual basis. So, the development and implementation of security policies, procedures, techniques, and controls is to be done keeping in mind that they must be regularly reviewed and updated as and when necessary. In the future, risks to ePHI and related mitigation measures are likely to change; so the organization must understand and be prepared to respond to these changes. Additionally, HIPAA being a federal law, the Security Rule is subjected to change by the US government. So, a regular monitoring for this rule, for any changes, needs to be done. This continual improvement and compliance process can be handled by NII.

6. Other Important Aspects

6.1 Roles Defined by HIPAA

HIPAA Privacy Rules define who is authorized to access information and includes the right of individuals to keep information about themselves from being disclosed.

Two roles are defined under this Rule. They are

1. Chief Security Officer (CSO) – his role is to identify the Chief Privacy Officer; to ensure that not only is compliance achieved, but that it is maintained. In his role, the CSO must be both technical and business oriented. Thus he must ensure that the process of security and risk management aligns with the business operations, while providing effective protection for PHI too.
2. Chief Privacy Officer (CPO) – he is responsible for development and implementation of policies and procedures. The CPO must be cognizant of any legal issues that arise out of staff and patient concerns over privacy, the provisions and the limitations of the Act; and take action to resolve the matter while ensuring continued compliance and protection of PHI.

Working in partnership, the CSO and CPO play crucial roles in the overall compliance of a CE with HIPAA.

6.2   HIPAA Do’s and Don’ts

• One must lock laptops and PDAs when not in use and log off after each time a computer is used. One must not write down or share passwords with anyone. PHI from systems and devices must be purged as soon as possible.
• One must shred or properly dispose of all documents containing PHI that are not part of the official medical record. Also one should limit the PHI that is taken home.
• A secure protocol for confidential sending and receipt of faxes that contain PHI and other confidential health information should be set.
• Secured networks for e-mails containing PHI should be used and a confidentiality disclaimer should be added to the footer of such e-mails.
• One should discuss PHI in secure environments so that others do not overhear the conversation. One must not be negligent with PHI in any form, whether oral, written or electronically stored.