For clinics having access to electronic Protected Health Information (ePHI), being compliant to HIPAA’s guidelines is compulsory. HIPAA is used in order to safeguard patient information and ensure that their personal healthcare data is not being misused, and it is safe from theft or embezzlement.
In case a healthcare organization fails to abide by the regulations of HIPAA, it will run the risk of getting exposed to various fines. In cases where ePHI is breached, the defaulter can even be sued with criminal charges or civil action lawsuits. According to the Office for Civil Rights of the Department of Health and Human Services (OCR), overlooking the regulations of HIPAA is not defensible, which is why the OCR will be putting fines on individuals not adhering to them, regardless of whether the infringement was deliberate or unintentional.
At this point, you may wonder why HIPAA is so important, so let’s get down to the basics. HIPAA stands for Health Insurance Portability and Accountability Act and it initially started in 1996 in order to ensure the protection of patient medical data. HIPAA does the following things:
- Enables a slew of US citizens and their families to continue to receive healthcare insurance when they are in between jobs;
- Diminishes the norm of fraudulent activities and abuse in the healthcare sector;
- Enforces regulations on the industry for electronic billing and various other processes;
- Mandates standards for the transmission and handling of patient information.
There are plenty of important things that used to go unaccounted for before, which now HIPAA takes care of such as: health care abuse, embezzlement and data theft. Moreover, it establishes a benchmark for security for online medical billing.
So, considering the substantial risks of not complying to the regulations of HIPAA, we hope we have established the dire need to comply by its regulations. So, if you are relatively new to this, then below we have the complete HIPAA compliance checklist from 2018 to 2019. This checklist will ensure that your healthcare company abides by the regulations set by HIPAA to protect sensitive patient healthcare records.
Although, HIPAA’s requirements are advertently unclear, each Covered Entity and Business Associate having access to Protected Health Information needs to formulate an efficient HIPAA compliance system in order to safeguard the organization against data thefts by putting in place technical, administrative, and physical protections to ensure that the integrity of PHI is maintained.
In case of a breach of HIPAA’s regulations takes place, the organization will be obligated to report all the security measures it had in place and the ones it didn’t. It would undergo an investigation to figure out how the breach of PHI happened. In case it took place because the policies of HIPAA weren’t adhered to, the healthcare company can find end up finding itself in a pickle.
So, if you are a healthcare company that doesn’t know how to become HIPAA compliant then we have the apt checklist for you. So, read on for HIPAA requirements that are elucidated below in depth. For healthcare company owners that don’t know how to go about approaching the requirements of HIPAA with discipline, you should get in touch with a professional.
HIPAA Security Rule
The HIPAA Security Rule is established in order to shield ePHI whether it is being transmitted or it is stationary. The security rule extends to all the individuals and medical companies that contain valuable and sensitive patient data. By “contain” we mean that a company or an individual can format, edit or view ePHI or personal data that discloses the identity of a patient. The HIPAA Security Rule is further classified into three additional categories, which are explained in detail below:
Technical Safeguards concern the technology which is intended to give written, accessible, approaches and policies that screen client access to programs that comprises of ePHI.
- Company personnel ought to be provided with a Unique User Identification as a username or ID number that can be utilized to determine and monitor system utilization.
- Implementation of procedures that in case of an emergency, give access authorization to certain employees, should be undertaken.
- Machines that contain ePHI should have an automated system which logs off the system in case it is idle for a certain number of minutes.
- Encryption and Decryption strategies should be incorporated into machines that store ePHI.
Standard 2. Audit Controls
- Audit Controls should, on a regular basis assess, file and store machine’s usage and ePHI handling.
Standard 3. Integrity
- In order to establish that ePHI hasn’t been used, changed or removed without permission, there needs to be a system present to verify this and it should be present in the machine.
Standard 4. Person or Entity Authentication
- Individual or Entity Authentication should be set up to guarantee that only approved workers or clients approach certain information and ePHI
Standard 5. Transmission Security
- Each ePHI that is transmitted electronically should be secured by Integrity controls to guarantee that it hasn’t been changed while it was in the process.
- ePHI stored in any system needs to be Encrypted
2. Physical Safeguards
Physical protections should be considered while the process of formulating of policies and strategies is underway. Physical protection policies should be directed towards safeguarding electronic systems and ePHI from physical urgency that could disrupt the system. Situations may include outsider intrusion, environmental emergencies or any other possible risks. Moreover, in the case of administrative protections, all of the measures that are taken by a company should be chronicled and accessible by the workers as well so that in case there is any ambiguity, employees can just head over to the rule book and figure out how they contribute towards the protection of a patient’s data and what is expected of them.
Standard 1. Facility Access Controls
- A plan should be set up to maintain contingency operation strategies that enables an individual’s access to the physical office and information in case of a crisis.
- A facility security plan should be formulated to shield assets that keeps ePHI from getting into the hands of intruders or being robbed.
- Access controls and validation procedures ought to oversee when, how, and to whom access of the hardware with ePHI stored is allowed.
- Maintenance records should archive alterations to the physical office, for example, redesigns or alterations in the gates or keys.
Standard 2. Workstation Use
- Workstation use policies indicates the utilization and execution of devices and workstations where ePHI is stored.
Standard 3. Workstation Security
- Workstation Security should involve physical protections that administer who can get to workstations and hardware where ePHI is approachable.
Standard 4. Device and Media Controls
- Transfer of devices where ePHI is contained should be carefully overseen.
- Arrangements are supposed to be set up to decide how and when ePHI should be removed from certain devices before they are allowed to be reused.
- Equipment and gear that can approach ePHI should to be credible and, if important, even tracked.
- Data backup and storage methodology should involve the making of precise copies of ePHI.
3. Administrative Safeguards
Authoritative protections should be set up to build up policies and techniques that workers can refer to and follow in order to guarantee that their practices are compliant of HIPAA. Every one of these benchmarks should be chronicled as a documented policy, open to all staff members so they comprehend the fundamental steps they should undertake to ensure patients’ security and confidentiality.
Standard 1. Security Management Process
- Risk Analysis need to take place to determine the confidentiality of ePHI.
- Risk Management measures should be executed to evaluate potential loopholes in ePHI that could lead to a possible breach.
- Sanction policies ought to be reached out to workers who neglect to agree to arrangements and strategies.
- Employees that don’t adhere to the standards of HIPAA should be issued with a sanction policy.
- Information system activity reviews should be set up with the goal that the daily activities of the system are monitored on a day-to-day basis.
Standard 2. Assigned Security Responsibility
- Security responsibility needs to be given out to a worker who can routinely screen, create, and keep up with the privacy policies and strategies.
Standard 3. Information Access Management System
- Workers who are supposed to manage ePHI should undergo a screening process. Additionally, they also need to be authorized and supervised.
- Workforce clearance procedures should be able to determine the individuals that are allowed to access ePHI and the ones that are not.
- Lay off procedure should be set up with the goal to ensure workers who have left a training can never again approach ePHI that they could access in the past, when they were a part of the organization.
Standard 4. Workforce Training and Management
- Any employee that is given access to a system with ePHI present it should undergo a training process. Once the training is done, he should be supervised to see how he handles ePHI.
- Employees that don’t abide by the rules should be issued a sanction.
Standard 5. Evaluation System
- To figure out the standing of employees based on their conduct with ePHI, an evaluation system should be in place. Policies and procedures should be routinely monitored and evaluated.
HIPAA Privacy Rule
HIPAA Privacy Rule is the first of its kind in the US which deals with the safety of a patient’s protected health information or PHI.
This rule was established by the HHS in order to restrict patient’s personal information from being misused or disclosed to a third party. Patient undergoing treatment from a particular hospital is notified about the personnel who will have access to his personal information for security purposes while still enabling the required health data to be reached to the concerned hospital departments.
Additionally, this rule also enables patients to obtain their PHI if they request for it.
HIPAA Breach Notification Rule
It is possible for patient health information to be leaked out even if all the safety measures are taken. In such instances, HIPAA has a Breach Notification Rule in place which is used to educate employees to deal with the breach.
Breach notifications should be comprised of the data below:
- The kind of PHI and personal identifiers that were leaked.
- The person who made the breach (if known).
- Whether the PHI was extracted or merely observed.
- The extent to which the risk has been mitigated.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule was issued to govern various factors that had been overlooked by past updates to HIPAA. It changed definitions, explained methods and approaches, and extended the HIPAA compliance checklist to extend to business associates and the entities they work with also.
Business Associates are categorized as any person or association that formulates, receives, keeps up or transmits Protected Health Information throughout performing functions in the interest of a covered business. The term Business Associate additionally incorporates contractual workers, advisors, information storage organizations, health data associations and any subcontractors utilized by Business Associates.
The Omnibus Rule categorized HIPAA Regulations into five further areas:
- Incorporation of the final amendments as made necessary by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Introduction of the increased, tiered civil money penalty structure as made necessary by HITECH.
- Alterations made to the harm threshold are incorporated as well as the final rule that was issued for the Breach Notification for Unsecured Protected Health Information under the HITECH Act.
- Changes of HIPAA to contain the provisions made by the Genetic Information Nondiscrimination Act (GINA) to forbid the exposure of genetic data for underwriting reasons.
- Prohibiting of the use of personal identifiers or patient health information for marketing or sales purposes.
HIPAA Enforcement Rule
HIPAA Enforcement Rule is established in order to direct the investigation that succeeds the breach of PHI, the fines that can be placed on the defaulter, and the policy for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.
The Bottom Line:
Whether you are an individual healthcare provider or you provide medical billing services in USA, being HIPAA compliant is necessary, as the healthcare industry is going through a massive reform with the focus being shifted from volume-based care to value based care. Therefore, to stay in the industry you need to adhere to its laws.