Last week, we took a look at changes coming for businesses associated with contracting for the Federal Government in our CMMC examination. This week, we change our focus to the field of medicine and the legal requirements for protecting medical data. This originates with the Health Insurance Portability and Accountability Act of 1996, commonly abbreviated as HIPAA.
**Please Note** No advisory contained in this article should be considered legal advice. While factually correct to the best of this author’s knowledge at the time of writing, compliance requirements change over time. We recommend to ALWAYS consult a professional when making business decisions regarding HIPAA compliance.
UNDERSTANDING THE LINGO
There are a few terms that are important to understand In this conversation. As noted, HIPAA is legislation that primarily aims to safeguard privacy relating to medical information. This is most commonly called Protected Health Information (PHI) and associated Electronic Protected Health Information (ePHI). HIPAA safeguards are related to both organizations and individuals, referred to as Covered Entities and Business Associates, depending on role in the PHI handling.
A Covered Entity can be loosely defined as an individual or organization that creates, handles, or transports PHI or ePHI as a primary part of his, her, or its business. However, as with much legislation, the answer in truth is more murky. For more information on who is a covered entity, please see this CMS.gov page.
A Business Associate is a person or organization that assists a Covered Entity in its business or activities performance and functions and thus has access to PHI, even if this is not the primary role of the business or the access is incidental. This could include individuals and organizations like CPAs, attorneys, consultants, independent transcriptionists, IT support, billing companies, or external health plan professionals. In fact, a Covered Entity is actually able to also be a business associate, as well, to another Covered Entity.
Some recurring language that one often will see in official HIPAA documentation stems from the Privacy Rule. While it can be dangerous to make simple summations with governmental regulations, this can be generally described in that a patient’s medical information should be protected by reasonable safeguards at all times. HIPAA splits this into three primary avenues: physical, technical, and administrative. (Check into a Safeguards FAQ from HHS.gov here, or a more complete list of safeguards here.)
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
However, proper understanding is required to apply the reasonability principle: as outlined in the HHS FAQ above, a patient may request communication via normal email, however what specific information is transmitted is limited because confidential communications may not take place over unencrypted email. In other words, it is reasonable to transmit non-confidential information only via normal email. This is important to keep in mind at all times: a technical process may prohibit a patient folder to be attached to email, for example, but may not screen for inadvertent disclosure via the actual email text.
- Security Management Process. A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access, also known as principle of least privilege in the IT world).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
It is also imperative that, in the event of a known breach, proper protocol is followed. While too much for the scope of this article, information can be found here.
Please remember: It is the responsibility of the Covered Entity or Business Associate to achieve HIPAA compliance. While IT or other professionals may be key in preparation, the final liability rests with the HIPAA-covered individual or organization. Many who fall under HIPAA assume that their IT MSP will automatically take care of this and fall afoul of the law by not asking enough or the right questions!
The cold reality is likely that many medical professionals are not able to competently diagnose their organization’s HIPAA compliance in an unbiased manner. Colder still is that many medical professional organizations have not truly examined their level of HIPAA compliance at all.
If you find yourself unsure—or, conversely, you are sure that your business or organization is underprepared—WE CAN HELP! Contact us and put our team’s experience with compliance to work for YOUR SMB!