A Deeper Look at HIPAA

Last week, we took a look at changes coming for businesses associated with contracting for the Federal Government in our CMMC examination. This week, we change our focus to the field of medicine and the legal requirements for protecting medical data. This originates with the Health Insurance Portability and Accountability Act of 1996, commonly abbreviated as HIPAA.

**Please Note** No advisory contained in this article should be considered legal advice. While factually correct to the best of this author’s knowledge at the time of writing, compliance requirements change over time. We recommend to ALWAYS consult a professional when making business decisions regarding HIPAA compliance.

UNDERSTANDING THE LINGO

There are a few terms that are important to understand In this conversation. As noted, HIPAA is legislation that primarily aims to safeguard privacy relating to medical information. This is most commonly called Protected Health Information (PHI) and associated Electronic Protected Health Information (ePHI). HIPAA safeguards are related to both organizations and individuals, referred to as Covered Entities and Business Associates, depending on role in the PHI handling.

A Covered Entity can be loosely defined as an individual or organization that creates, handles, or transports PHI or ePHI as a primary part of his, her, or its business. However, as with much legislation, the answer in truth is more murky. For more information on who is a covered entity, please see this CMS.gov page.

A Business Associate is a person or organization that assists a Covered Entity in its business or activities performance and functions and thus has access to PHI, even if this is not the primary role of the business or the access is incidental. This could include individuals and organizations like CPAs, attorneys, consultants, independent transcriptionists, IT support, billing companies, or external health plan professionals. In fact, a Covered Entity is actually able to also be a business associate, as well, to another Covered Entity.

REQUIREMENTS

Some recurring language that one often will see in official HIPAA documentation stems from the Privacy Rule. While it can be dangerous to make simple summations with governmental regulations, this can be generally described in that a patient’s medical information should be protected by reasonable safeguards at all times. HIPAA splits this into three primary avenues: physical, technical, and administrative. (Check into a Safeguards FAQ from HHS.gov here, or a more complete list of safeguards here.)

PHYSICAL SAFEGUARDS

Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

TECHNICAL SAFEGUARDS

Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

However, proper understanding is required to apply the reasonability principle: as outlined in the HHS FAQ above, a patient may request communication via normal email, however what specific information is transmitted is limited because confidential communications may not take place over unencrypted email. In other words, it is reasonable to transmit non-confidential information only via normal email. This is important to keep in mind at all times: a technical process may prohibit a patient folder to be attached to email, for example, but may not screen for inadvertent disclosure via the actual email text.

ADMINISTRATIVE SAFEGUARDS

Security Management Process. A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access, also known as principle of least privilege in the IT world).
Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

BREACHES

It is also imperative that, in the event of a known breach, proper protocol is followed. While too much for the scope of this article, information can be found here.

Please remember: It is the responsibility of the Covered Entity or Business Associate to achieve HIPAA compliance. While IT or other professionals may be key in preparation, the final liability rests with the HIPAA-covered individual or organization. Many who fall under HIPAA assume that their IT MSP will automatically take care of this and fall afoul of the law by not asking enough or the right questions!

TLDR:

The cold reality is likely that many medical professionals are not able to competently diagnose their organization’s HIPAA compliance in an unbiased manner. Colder still is that many medical professional organizations have not truly examined their level of HIPAA compliance at all.

If you find yourself unsure—or, conversely, you are sure that your business or organization is underprepared—WE CAN HELP! Contact us and put our team’s experience with compliance to work for YOUR SMB!

Tabbie Coulter

great professional service and very timely!! would highly recommend for your IT needs.

Jessie Palma

I love this company. They have soo much talent there and they always fix it so quickly! They are very professional and courteous! I've gotten to know some of them because we treat each other like human beings :) It's like having an extended family.

Fernando Perez

Awesome management! Great company.

Joseph Silbaugh

I needed to add an older laptop to the business account for my use on the road. CIO did everything remotely for me. It made the task so easy. They updated everything, added my office 365, my 3 emails and checked everything. Great job, quick and efficiently no stress. I recommend them highly

Kay Westerhold

Always a quick response. Issue solved and can continue on with the task every time. Great job CCIO!!

Bill Fissell

The service was prompt, friendly and knowledgeable. Could not ask for more than that.

Kevin Slack

Upgraded our router with Comcast. It did not go smoothly until Steve Plumlee got involved and got everything working well. When Steve is working on our IT issues, they get resolved. Amen.

Hickory Falls Family Entertainment Center

Thanks for going more in-depth with your engineers and investigating solutions and resolving some of our email challenges.

Bill Moorman

Certified CIO is a smart, professional and friendly team of engineers to work with. I am a bright person but computers can make me feel incompetent. The team at Certified CIO never allows you to feel awkward even asking the most basic questions. You have been a lifeline many times. Thanks for your support.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Better IT for Business. Call Today! (717) 340-6000 (443) 283-0666

Share This Story, Choose Your Platform!

Better IT for Business. Call Today!
(717) 340-6000
(443) 283-0666