HIPAA Compliance Summary
HIPAA is an acronym for the American Health Insurance Portability and Accountability Act of 1996. It's a set of rules to be followed by the healthcare industry. The rules exist to give patients peace of mind regarding their medical records by making sure that all medical billing, personal records, and patient account info meet a stringent security standard in regards to how the data is handled and secured (ePHI). The objective of the Security Rule is to protect the privacy of individuals’ health information without sacrificing technological progress within healthcare. The Security Rule consists of the following main categories:
Security Standards General Rule
Polices & Procedures
You must comply with HIPAA Compliance requirements and HIPAA Privacy rules if your company electronically stores, processes or transmits medical records, medical claims, remittances, certifications, or other healthcare based Protected Health Information (PHI). You can see a summary
The information below is not meant to be comprehensive or definitive of what is required for a HIPAA compliance audit. If you have questions or are going to embark on a formal HIPAA compliance effort, consult with a certified security professional, compliance officer, or privacy officer.
Security Standards General Rule
Does the organization have a written security program that is designed to protect PHI? Protected health information (PHI or ePHI) is information, including demographic data, that relates to:
The individual's past, present or future physical or mental health or condition
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual...
And that identifies the individual or for which, there is a reasonable basis to believe, can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Is the security approach flexible and has the organization implemented the policies and procedures for all of the HIPAA safeguards?
HHS.gov states, "The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The Administrative Safeguards comprise over half of the HIPAA Security requirements. As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI. When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office, and could include workforce members’ homes or other physical locations where they access EPHI.
You'll see questions related to topics like:
Facility Security Plan
Access Control and Validation Procedures
Visitor Security Controls
Physical Security Zones
Workstation Use and Security
Device and Media Controls including disposal
The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” The organization needs to use whatever security measures that allows for reasonable protection based on the standard. However, "reasonable" is relative to the organization and is defined by the organization. You'll see questions related to topics like:
Unique User Identification
Encryption and Decryption
The Business Associate Contracts and Other Arrangements standard found at § 164.308(b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (EPHI). The standard, at § 164.314(a)(1), provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. The actual language used to address the requirements can be tailored to the needs of each organization, as long as the requirements are addressed.
Organizational requirements address things like:
Business Associate Contracts or Other Arrangements
Business Associate Contracts with SubContractors
Contracts with Group Health Plans
Policies & Procedures
“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”
However, policy and procedure is not defined. You'll be exposed to questions that address:
Broad Security Policy
Policy Time Limits
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
A breach is defined as an unauthorized use or disclosure that compromises the security or privacy of the PHI. The general rule states that "A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach."
The HIPAA Assessment questions will address:
Breaches treated as Discoverd
Timeliness of Notification
Content of Notification
Notification to the Secretary of Breaches
Notification by a Business Associate
Law Enforcement delays
HHS.gov states "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections."
HIPAA Assessment question will address:
Covered Entities: Permitted Uses and Disclosures
Business Entities: Permitted Uses and Disclosures
Business Entities: Required Uses and Disclosures