A brief introduction to HIPAA Compliance

Prince George Software Quality Engineer

What is HIPAA?● Health Insurance Portability and Accountability Act ● HIPAA is a federal law that protects the privacy and security of health

data. It is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).

● Developed in 1996. HIPAA was initially created to help the public with insurance portability. In addition, they built a series of privacy tools to protect healthcare data.

● HIPAA sets the standard for protecting sensitive patient data. ● Covered Entities and their Business Associates need to protect the privacy

and security of protected health information (PHI).

Important terms to knowProtected Health Information (PHI)

PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service.

Includes:

Medical records ,Billing information ,Health insurance information and Any individually identifiable health information.

Important terms to knowElectronic Protected Health Information (ePHI)

All individually identifiable health information that is created, maintained, or transmitted electronically.

Covered Entity (CE)

Anyone who provides treatment, payment and operations in healthcare.

Includes:

Doctor’s office, dental offices, clinics, psychologists,Nursing home, pharmacy, hospital or home healthcare agency ,Health plans, insurance companies, HMOs ,Government programs that pay for healthcare ,Health clearing houses

Important terms to knowBusiness Associate (BA)

Anyone who has access to patient information, whether directly, indirectly, physically or virtually on behalf of a Covered Entity.

HIPAA requires that business associate relationships be formalized in a contract or agreement, commonly called a "Business Associate Agreement" or BAA.

includes:

IT providers, health applications ,Telephone service provider, document management and destruction ,Accountant, lawyer or other service provider

HIPAA Fines and Penalties

Violation Amount per Violation Violation of an identical provision in a calendar year

did not know $100 - $50,000 $1,500,000

reasonable cause $1000 - $50,000 $1,500,000

willful neglect - corrected $10,000 - $50,000 $1,500,000

willful neglect - not corrected $50,000 $1,500,000

Who needs to be HIPAA compliant?

If you handle PHI then you need to be HIPAA compliant.

The HIPAA rules apply to both Covered Entities and their Business Associates , need to protect the privacy and security of protected health information (PHI)

The Four Rules of HIPAA

HIPAA has four main “rules,” or sets of regulations, that specify how regulated organizations need to operate and handle PHI.

HIPAA Privacy Rule

HIPAA Security Rule

HIPAA Enforcement Rule

HIPAA Breach Notification Rule

HIPAA Privacy Rule

Addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.

Privacy is securing, protecting and maintaining the confidentiality of the patients data in all formats including electronic, paper and oral.

HIPAA Security Rule

National security standards intended to protect health data created, received, maintained, or transmitted electronically.

Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is all part of the security rule.

Security is the methods, tools, strategy and process that is used to ensure the privacy.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

HIPAA Breach Notification Rule

This rule establishes:

● What constitutes a reportable HIPAA breach● What you must do in case of a breach● Who you must notify in the event of a breach.

Possible entities include: Your customers, Individuals whose identity was breached, HHS, Law enforcement, The media

● How quickly you must notify

Becoming HIPAA CompliantIf you comply with the HIPAA rules, then you are "HIPAA-compliant."

The HIPAA Security Rule requires having the appropriate Administrative, Physical, and Technical Safeguards in place to ensure the confidentiality, integrity, and security of protected health information (PHI).

In other words, you need to cover all three bases in order to be compliant per the HIPAA guidelines.

The HIPAA Security RuleThe rule is divided into “standards,” which are required but often vague, and “implementation specifications,” which are either ‘required’ or ‘addressable’ and usually not much more specific than the standards.

September 23, 2013

Before Sept 23. Rules applied to hospitals, doctors, clinics, etc

After Sept 23. The rules now apply to anyone that touches PHI

3 Parts to the HIPAA Security Rule

Administrative Safeguards Technical Safeguards Physical Safeguards

Administrative SafeguardsThe administrative components are really important when implementing a HIPAA compliance program.

Includes :

● Security Management Process● Assigned Security Responsibility● Information Access Management● Security Awareness And Training

● Security Incident Procedures ● Contingency Planning● Evaluation● Business Associate Contracts

and Other Arrangement

Physical SafeguardsControls to protect the physical facilities, computers, and devices that house PHI, such as data centers, offices, laptops, thumbdrives, workstations, etc

include:

● Facility Access Controls● Workstation Use ● Workstation Security ● Device And Media Controls

Technical SafeguardsControls implemented through engineering processes , contain elements of privacy and security by design, and should be incorporated as early as possible into your technical design process.

include:

● Access Controls● Audit Controls ● Integrity Controls● Person or Entity Authentication ● Transmission Security

Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.

Certificationsthere is no one that can “certify” that an organization is HIPAA compliant

The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body.

The evaluation standard in the Security Rule requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements.

ConclusionWhen you boil it down, HIPAA is really asking you to do 4 things

● Put safeguards in place to protect patient health information● Reasonably limit uses and sharing to the minimum necessary to

accomplish your intended purpose.● Have agreements in place with any service providers that perform

covered functions or activities for you.● Have procedures in place to limit who can access patient health

information, and implement a training program for you and your employees about how to protect your patient health information

Thank You….