Any organization that handles with protected health information (PHI) must ensure that all the required physical, network, process and security measures are in place (and more importantly, followed).
This includes covered entities (CE), defined as anyone who provides treatment, payment and operations in healthcare, Business associates (BA) are also included, meaning anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors (or business associates of business associates) are also required to be in compliance as of September 23, 2014.
The HIPAA Security Rule outlines best-practices and security standards to protect health data created, received, maintained or transmitted electronically, referred to as electronic protected health information (ePHI) while the HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual.
In order to meet HIPAA compliance standards, our company is required to maintain strict administrative, physical and technical safeguards per the U.S. Department of Health and Human Services.
Understanding HIPAA Compliance
Facility access must be limited and controlled, with a defined procedure for authorized access. Additionally, policies about technology access and use must be in place for all covered entities, or companies in order to be HIPAA compliant. Policies for transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI) should also be included.
A method of verifying ePHI hasn’t been tampered with or destroyed is crucial.
In the event data has been modified or lost, IT disaster recovery and offsite backups are crucial to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be fully recovered.
Software and hardware activity must be tracked in real-time logs, transformed into audit reports and kept in records in order to pinpoint the cause in the event of any security violation.
Only authorized individuals should have access electronic protected health data. To maintain data integrity, methods such as unique user IDs and an emergency access procedure must be used. It’s strongly recommended to implement other safeguards, such as automatic logoff and encryption/decryption.
Public access of ePHI is strictly prohibited. Network security is required to ensure ePHI is only available to authorized parties, meaning all methods of data transmission over any network must be monitored and restricted.
In 2009, a supplemental act called The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in response to rapid growth and adaptation of the storage and transmittal of electronic health information. HITECH helps support the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules.