What Is HIPAA Compliance ?
Patient care providers are now using electronic health records (EHR) to store patients’ electronic protected health information (ePHI). There are many advantages to this system but also vulnerabilities. The government has established strict rules for the use of EHRs designed to protect a patient’s private health information (PHI) and to guard against cybersecurity breaches that could expose this protected information.
The rules are comprehensive and at times, difficult to understand. There are extremely high penalties for non-compliance with the governmental rules. Software programs have been created with EHR privacy and security rules in mind. Here is the least you need to know when working with your own EHR and software provider to be sure you are compliant with HIPAA’s rules.
The rules are comprehensive and at times, difficult to understand. There are extremely high penalties for non-compliance with the governmental rules. Software programs have been created with EHR privacy and security rules in mind. Here is the least you need to know when working with your own EHR and software provider to be sure you are compliant with HIPAA’s rules. Checkout How HIPAA-Compliant PrognoFax Improves Workflow
Who Must Comply with its Rules?
The use of EHRs is controlled by The Health Insurance Portability and Accountability Act of 1996 (HIPAA) which required the Secretary of the U.S. Department of Health and Human Services (HHS) to establish regulations to protect the security and privacy of certain health information. In response, HHS established two basic rules: The HIPAA Privacy Rule and the HIPAA Security Rule.
The HHS has published a list of who must comply with the Privacy Rule, which is the same list of entities that must comply with the Security Rule. The two rules apply to all medical providers who use EHR. A summary of the specifically listed entities includes the following.
Health Plans. This basically includes all health plans, either individual or group no matter what entity sponsors the plan, if the plan pays the cost of medical care. This includes providers of medical, dental, and vision care, prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicare Advantage or supplement insurers, and long-term care insurers. There are more than are included and there are also some exceptions.
Health Care Providers. Any health care provider who uses EHR for a standard medical transaction is a covered entity (CE) that must comply with the HIPAA rules. If health care providers bill for their services, they are CEs
Health Care Clearinghouses. Health care clearinghouses are entities such as billing services, repricing companies, and community health management information services, for example. The Privacy Rules apply to them when they are functioning in a way that provides them access to a patient’s PHI.
Business Associates. A business associate (BA) is a person or organization that provides services to a CE that involves the use or disclosure of a patient’s PHI.
Business Associate Contract. When a covered entity uses a contractor or other non-workforce member to perform BA services or activities, the Rule requires the CE to have a contract that specifies the expected protections for compliance with HIPAA privacy safeguards of the EHR.
Compliance with the HIPAA Privacy Rule
The HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”
The purpose is to keep a patient’s protected health information (PHI) safe from discovery by those not authorized to access it. PHI is defined as “all individually identifiable health information a cover entity creates, receives, maintains or transmits in electronic form.” In general, this includes the patient’s:
- Name, address, birthdate and Social Security Number.
- Any information about the patient’s physical or mental health condition.
- Any medical care or treatment provided to the patient.
- Any information about payment for the care of the individual that identifies the individual or could lead to the ability to identify the individual.
Although patients have rights concerning the information, health care providers can disclose PHI when needed for patient care and treatment. This means health care professionals can access a patient’s EHR for a consultation, prescriptions can be sent to the pharmacy via EHRs, and for other specific purposes defined in the rule.
HIPAA Compliance With The Security Rule
The HIPAA Security Rule establishes minimum security standards for protecting all ePHI that is created, received, maintained, or transmitted by a CE or BA. If security standards are met, the National Coordinator for Heath Information Technology states that “property configured and certified EHRs can provide more protection to ePHI than paper files provided.”
These safeguards are to help health care providers avoid some of the common gaps that could lead to a cyber-attack and data loss. Safeguards with which you must comply include:
Administrative safeguards. The main requirement is that you perform a security risk analysis. The purpose is to identify any risks to the ePHI. This includes risks due to the conduct of your employees. Administrative actions must be taken to prevent, detect, and correct any security violations. You are required to perform a security risk analysis that identifies and analyzes risks to the protected information and then implement measures that will reduce the identified risks.
Physical safeguards. These safeguards protect the electronic information systems as well as the actual physical structure where the electronic information is stored from:
- Natural disasters.
- Environmental disasters.
- Unauthorized intrusions.
Organizational standards. The standards require written contracts between CEs and BAs. The contracts must specifically cover the need for security and prevention of breaches.
Policies and Procedures. Every CE must adopt reasonable written policies and procedures that comply with the requirements of the Security Rule. The written documents must be maintained for six years after their creation date “or last effective date (whichever is later).” The policies and procedures must be periodically reviewed and updated.
Protection Against Breach
News reports abound about security breaches, usually related to large retail chains or banks. Health care providers often believe they are so small that criminals will stay away and not bother to cyber-attack them. This is not true. Small organizations have frequently been hit by cyber-attacks and often the breach goes undetected for a time.
Whether you are a sole practitioner or a large medical group or metropolitan hospital, HIPAA compliance requires you to take steps to ensure that the PHI of your patients remains secure and protected from a cybersecurity breach.
Generally, software for EHRs has security features built-in or at least provided to you as part of the service you get from the software company. You are still charged with the duty of learning how these features work and making sure that you and your staff keep up to date on any upgrades.
HIPAA requires you to have strong EHR security practices whether your EHR is installed in your office or whether you use a cloud service provider that you access over the internet.
If you become aware of a breach or potential breach, you must “provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.”
Every CE and BA is subject to a HIPAA audit to be sure they are complying with the HIPAA Security Rule and Privacy Rule. This is conducted by the HHS Office for Civil Rights (OCR). Initially, HIPAA will send out a questionnaire asking for certain information about compliance. CEs and BAs who are selected for an audit will have 10 business days to provide the requested information to OCR through its website’s secure portal. Also Read – Audit preparation for small medical practices
The OCR will provide its results to the audited entity that can then respond. These written responses will be included in the final audit report.
HIPAA and Telehealth
The COVID-19 environment has resulted in changes regarding telehealth and HIPAA “on almost a daily basis.” According to HIPAA, “during the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.”
This allows health care providers to use almost any provision for communicating with their patients by way of any nonpublic facing remote communication product available to them. This includes “popular applications that allow video chats.” As an example, HIPAA clarifies that while Facebook Messenger can be used since it is not public facing, Facebook Live which is public facing does not meet the standard and cannot be used for telehealth.
Although the exception has been made due to the pandemic and to allow health care providers to treat specifically COVID-19 patients, it also allows doctors to treat their patients for other health problems.
How to Ensure Your Software is HIPAA Compliant
Not all software is HIPAA compliant. To be sure the software you use for your EHRs is compliant, it must meet the following criteria:
- All users must be authorized.
- Access is controlled so that only authorized users can access the data.
- An authorization monitoring program is in force.
- There is a data backup plan.
- There is a remediation plan in the event of a breach.
- There is an emergency mode.
- Users are automatically logged off after a certain period of time.
- Data is encrypted.
Related Article – Ensure Your Practice is HIPAA Complaint when Using Mobile Devices