The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules PDF

Preface

The Department of Health and Human Services (HHS) has published four major rules implementing a number of provisions and regulations set out by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 1999 as part of the American Recovery and Reinvestment Act (ARRA). These rules are the Privacy Rule; the Electronic Transactions and Code Sets Rule; the National Identifier requirements for employers, providers, and health plans; and the Security Rule. It also includes more regulatory control over enforcement actions and stiffer penalties for noncompliance. There are many healthcare providers, healthcare clearinghouses, and health plans that are required to implement and comply with these rules, especially the Security Rule. Failure to implement or comply with these rules can leave the covered entity or others that need to comply open to large monetary fines, civil lawsuits, and other penalties.

With the rise of security breaches and other high-profile incidents regarding successful hacking events, it is very apparent that information has become a valuable commodity. The United States has transformed from a nation built on manufacturing and industry into an information/knowledge powerhouse. With the advancement in technology comes the opportunity for criminals to find another source of income by exploiting vulnerabilities within this technology. Retail, financial, and governmental entities have been the target and have fallen victim to these types of crimes; however, these industries are not the only industries susceptible. Technology has made companies more efficient and even now healthcare providers are required to submit Medicaid and Medicare reimbursement requests electronically. These capabilities have brought with them additional regulations for the healthcare industry. These regulations have brought to the forefront the importance of securing electronic protected health information (EPHI).

Just as a credit report is used to determine the credit worthiness for an individual, so will patient information eventually be used or already may be used to determine the health status of individuals. There has been a boom in the market of selling patient information to health and life insurance companies. These insurance companies will rate individuals on their "health score" to determine their eligibility for a specific healthcare product or service.

Wherever there is money or financial gain to be made, there will be individuals who will attempt to get into the market. This can be done legally or illegally. Since the name of the game is information, the information becomes very valuable. This raises one major question: How well do you, as a healthcare provider, protect your clients' medical records and patient information?

The Security Standards in HIPAA were developed to implement appropriate security safeguards for the protection of certain EPHI that may be at risk, while permitting authorized individuals to access and use this information under allowable uses.

Assessing these standards takes into consideration three fundamental security parameters: confidentiality, integrity, and availability.

This book was designed to assist the healthcare provider, or covered entity, in reviewing the accessibility of EPHI to verify that it is not altered or destroyed in an unauthorized manner and that it is available as needed by authorized individuals for authorized use. This book covers the following implementation standards and provides recommendations on how to comply with these standards, if required, to strengthen the security posture of the organization:

• Administrative safeguards 

• Physical safeguards

• Technical safeguards

• Organizational requirements

• Policies/procedures and documentation requirements

Following the recommendations in this book will provide a covered entity the assurance that it is complying with the implementation standards of the Privacy and Security Rule of HIPAA/HITECH, along with providing recommendations based on other related regulations and industry best practices. This book can also help those entities that may not be covered but want to assure their customers that they are doing their due diligence to protect their personal and private information. Due to the fact that the HIPAA/HITECH rules apply to all covered entities and will most likely apply to business associates and subcontractors of business associates, it may not be long until these rules become the de facto standards for all companies to follow.

One of the most valuable parts of this book is the sample documents that are required and directions in using these policies/procedures to establish proof of compliance. This book will not take the place of a qualified individual conducting HIPAA assessments on the covered entity; however, the entity will be better prepared when the assessment is conducted or if an HHS auditor arrives at the door. The entity will also be well informed about taking the proper steps to protect its client's information and strengthen its security posture. This can provide a strategic advantage to the organization, not only demonstrating to clients that it cares about their health and well-being but also cares about their privacy.