Your Organization Probably Isn’t HIPAA Compliant
The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996. The HIPAA Privacy Rule covers Protected Health Information in any medium and the HIPAA Security Rule covers electronic protected health information. This extensive listing of responsibilities is seemingly never ending and highly regulated. The fines associated with failure in compliance has affected companies of all shapes and sizes.
The American Medical Association reports on their website;
In June 2005, the U.S.Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom"knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of$250,000, and imprisonment for up to ten years.
A Deeper Dive
Protected Health Information (PHI) is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:
- the individual’s past, present or future physical or mental health or condition or
- the provision of health care to the individual or
- the past, present, or future payment for the provision of health care to the individual
Additional Employer Responsibilities Under HIPAA
- Employers must put in place security rule compliance policies and procedures.
- Medical records must be stored separately and apart from other business and personnel records, to ensure their confidentiality and limited access.
Employers (or their providers) must update plan documents and business associate agreements to comply with the security rules. All programs that deal with employee health information such as flexible spending plans, wellness programs, or employer self-insured options must be HIPAA compliant.
- State privacy laws that may be even stricter and must be complied to.
- Employees must be notified every time there is a substantive change in their plan that may affect medical privacy. Additionally, if the employer's state makes substantive changes, new privacy amendments may be necessary.
- Employers must notify employees of their privacy rights, then update the notice, redistribute the notice, or point to it every three years starting by April 14, 2006, for large plans and April 14, 2007, for small plans.
- Employers must train any employee who has contact with medical records in appropriate HIPAA compliance.
- Employers must investigate any privacy complaint that they receive. Consequently, employers may want to have a written policy for responding to and investigating any privacy complaint that they receive. Employers should put the results of their investigation in writing.
- Employers must discipline any employee who disregards or disobeys HIPAA privacy requirements.
PHI prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements
- Policies and Procedures
So how does a business manage its compliance piece and protect its patients? How does a business not spend critical overhead dollars? How does a business manage its Physical, Administrative and Logical Safeguards? How does a business protect itself and it’s employees from a massive mistake?
Businesses that want to manage HIPAA efficiently make a simple call to NetSource One. We understand the technology that guards your consumers’ sensitive health information. We have the tools and expertise to help you meet HIPAA standards.
The NetSource One HIPAA Risk Assessment is not just another “checklist” approach. We use a structured methodology to collect and present the data required to demonstrate your compliance with the HIPAA regulations.
Think of it like a medical engagement. We will:
1. Gather information about your current condition.
2. Conduct ‘lab tests’ to get under the skin of your information technology.
3. Provide a treatment plan.
NetSource One presents you with a package designed specifically to meet auditor requirements. Our package includes:
· The Risk Analysis required by regulation
· Supporting Worksheets and Reports that document your compliance efforts, and,
· Management Plan to re mediate any shortfalls.
Simple, easy, effective HIPAA management is only a phone call away. To further discuss this process, please contact:
Wes Reynolds, CISSP
Information Security Consultant