HIPAA Compliance

What is HIPAA ?

  • To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Public Law 104-191 was enacted by Congress.
  • HIPAA sets standard for protecting sensitive patient data
  • Covered entities and business associates need to protect the privacy and security of protected health information (PHI).

What steps need to be taken in order to become HIPAA compliant?

Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI).

There are 4 rules that need to be observed:

RULE 1. 

HIPAA PRIVACY RULE:

RULE 2: 

HIPAA SECURITY RULE:

RULE 3:

HIPAA ENFORCEMENT RULE:

RULE 4: 

HIPAA BREACH

NOTIFICATION RULE:

The FOUR RULES

RULE 1. HIPAA PRIVACY RULE

The HIPAA Privacy Rule establishes national standards to protect patient medical records and other personal health information (PHI) and applies to health plans, health care clearing houses, and those health care providers that conduct certain health care transactions electronically.

RULE 2. HIPAA SECURITY RULE:

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The security rule is made up of 5 parts:

  1. Administration Safeguards (Security Management, Security Personnel, Information Access Management, Workforce Training and Evaluation)
  2. Physical Safeguards (Facility, Workstation and Device Security)
  3. Technical Safeguards (Access, Computer Hardware, Software and Network Security)
  4. Organizational Requirements (Covered Entity Responsibility and Business Associates Agreements)
  5. Policies and Procedures and Documentation Requirements

RULE 3: The HIPAA ENFORCEMENT RULE:

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160. Subparts C, D, and E.

RULE 4. HIPAA BREACH NOTIFICATION RULE:

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

HIPAA OMNIBUS RULE

On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “HIPAA Omnibus Rule,” a set of final regulations modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy.  Security and Enforcement Rules to implement various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Highlights of
OMNIBUS FINAL RULE

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan
  • There are new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individuals health information without their permission.
  • Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.
  • Health Plans also have changes related to the Genetic Information Nondiscrimination Act (GINA) that must be reflected in their policies and NPPs

What can the
BLUEMED GROUP DO FOR YOU?

Choose HIPAA Privacy and Security Officer – appoint a privacy and security officer. This could either be the same or different individuals. They will be responsible for implementation of compliance in the organization

Conduct Risk Assessment – review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI)

Assess Risks – review risks identified in risk assessment and plan control measures.

Develop HIPAA Privacy and Security Policies and Procedures – develop and implement HIPAA Privacy and Security policies and procedures

Train Employees – train all employees who use or disclose protected health information

Monitor Compliance – monitor compliance regularly.

OUR GOAL: ACHIEVING HIPAA COMPLIANCE:

Achieving HIPAA compliance is the responsibility of everyone involved in the practice. Building a culture of compliance in organization depends on 4 important components.

  1. Risks Assessment
  2. Creating HIPAA policies
  3. Training the Team
  4. Monitoring

Implementing best practices for HIPAA, conducting ongoing risk analysis, workforce training and HIPAA policy awareness will go a long way in protecting any organization’s PHI and ensuring privacy and security. As per the OIG, implementing an ongoing training program for staff isn’t just a good idea, it’s actually a requirement in order for covered entities and their business associates (healthcare providers, hospitals, individual clinics etc.) to stay HIPAA and HITECH compliant.