McKinney Texas Attorney HIPAA Omnibus Privacy/Security Rule

HIPAA is the federal medical privacy and security law governing protected health information.  It is important to understand that 46 states also have laws governing protected health information.  Many state laws are more restrictive than HIPAA.

Penalties for Business Associates for violations of HIPAA can be as high as $1.5 Million per year, and can include prison time for the most serious criminal offenses.

There are two components to HIPAA protection, the privacy component found in 45 CFR 165 et seq. and the security component found in 42 CFR

Burden of Proof for HIPAA is on the covered entity to prove they have notified all the people affected by a breach.  Must prove the event was not a breach.

McKinney Texas Attorney Lee Ann Torrans

We Have Answers for YOUR HIPAA Audit

  1. Auditors have the potential to review our data center.
  2. Auditors review physical security, logical security, your policies and procedures.
  3. Video logs, and access logs will be reviewed.
  4. We mitigate the security issues surrounding your backup and disaster recovery issues.
  5. We can assist with confirming backup and recovery was not a part of the breach.
  6. Physical Compliance:

HROC Compliance

 

Business Associate Includes Subcontractors

Any company or individual that is exposed to, handles, or works with the data in which is classified as protected health information including medical records is a “Business Associate” of the medical entities they work for.

Subcontractors of “Business Associates” must comply with HIPAA requirements precisely as the Business Associate.

You can segregate your PHI component of business with a strong security program for exclusive PHI data.  PHI must be guarded physically, technically and on an employee by employee basis.

Typically a CE can audit your security and privacy component for your PHI data.

Fundamentally, you should begin with a review of your existing security and privacy program to take on health care clients.

What are HIPAA Business Associates required to do?

  • Comply with HIPAA’s Security Rule – Implement specific policies & procedures; and implement physical, administrative, and technical safeguards to protect medical data.
  • Follow HIPAA’s Privacy Rule – Protect medical data from misuse; and follow the terms of new or existing Business Associate contracts.
  • Train All Employees on HIPAA and the Business Associate Requirements – Employees must be trained to provide the strongest protections to medical data.  It is important that your training be employee specific.  There should not be one training for all.  Training must address the specific employee’s access to data while addressing policies and procedures associated therewith.
  • Provide “Breach Notifications” if Medical Data is Compromised or Lost – Business Associates must promptly notify their medical entity partners – and in some cases, patients – if medical data in the Business Associates possession is compromised or lost.

Policies and Procedures Mandatory HIPAA Compliance

HIPAA compliance requires that each business associate of a covered entity together with their subcontractors have in place Policies and Procedures.

The purpose of Policies and Procedures are to “translate” HIPAA’s legal requirements and restrictions into guidance your workforce can understand.

Test Your Policies and Procedures Mandatory

Testing of your Policies and Procedures is mandatory.  The purpose of testing is to evaluate whether HIPAA protections of protected health care information is functionally understandable to the members of your workforce which includes volunteers and contractors in addition to employees.

HIPAA Policies and Procedures are Flexible and Scalable

Mandatory:  Policies and Procedures are mandatory for all Business Associates and their subcontractors.  It is possible that you are a Business Associate or subcontractor of a covered entity.  It is incumbent upon each organization to engage in a process of due diligence to determine whether your company is governed by HIPAA.

Flexible:  There is no one policy fits all documents.  Policies and Procedures are intended to be  flexible and scalable, so that BAs can create P&Ps that are appropriate for their needs.

Expandable:  A smaller Business Associate like an individual contract coder will require simpler and narrower Policies and Procedures than a billing firm or collection agency. Large and small BAs must have the same minimum set of P&Ps, with length and complexity expanding with the scope of the Business Associate’s duties.

HIPAA Policies Suitable for Your Business

HIPAA regulations contain no specificity as length, form or format.  There is no specific language designated for policies.

HIPAA regulations identify subjects or objectives that each Policy or Procedure must address.

1

General HIPAA 164.104 Covered Entities and Business Associates which inc ludes subcontractors, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity.
Compliance Policy 164.306
HITECH 13401

2

Policies & Procedures 164.306; 164.316 Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P documentation of modifications required
General Requirement 164.312(b)(1)
164.530(i)

3

Documentation Policy 164.530(j)(1)(ii) All P&Ps must be reduced to writing.  All activities of the entity should be assessed and the P&P regarding that activity as related to PHI must be documented.
Requirement 164.530(j)(1)(iii)
164.312(b)(2)(i)
164.316

4

Documentation 164.316 Required documentation must be retained for six years from the date of creation or the date last in effect, whichever is later.
Retention Policy 164.530(j)
Requirement

5

Documentation Availability Policy 164.31 Documentation must be made available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains.
Requirement 164.316
164.530(j)

6

Documentation Updates 164.31 Periodic review and update as required in conjunction with operational changes affecting the security of PHI.
Requirement 164.316
164.530(j)

7

HHS Investigations Policy 160.308 Covered Entitites their  BAs and BA’s subcontractors rquired to implement policies & procedures to assure compliance with HHS investigation.  This includes documentation of recordkeeping.
164.31
164.312

8

Breach Notification Policy 164.400 to Requires CEs and Bas and their subcontractors to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications.
164.414

9

Assign Privacy Official Policy 164.530(a) CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints.

10

State Law Preemption Policy 160.201 to State law requirements can be more rigorous than data privacy & security; HIPAA pre-empts state law but typically less forceful that State Laws.
160.205

11

HIPAA Training Policy 164.530(b) CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed.

12

PHI Uses & Disclosures Policy 164.502 to CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs.
164.514

13

Patient Rights Policy 164.520 to CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs.
164.528

14

Complaints Policy 164.530(d) CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received.
164.530(a)

15

Risk Management 164.302 to Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements.
Process Policy 164.318
Required

16

Risk Analysis 164.308(a)(1) Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.
Required Standard

17

Risk Management 164.308(a)(1) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).
Required Standard

18

Sanction Policy 164.308(a)(1) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
Required Standard

19

Information System 164.308(a)(1) Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc.
Activity Review
Required Standard

20

Assigned Security 164.308(a)(2) Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps.
Responsibility
Required Standard

21

Authorization & Supervision Policy 164.308(a)(3) Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed.
Addressable Standard

22

Workforce Clearance 164.308(a)(3) Implement procedures to determine that the access of a workforce member to ePHI is appropriate.
Policy
Addressable Standard

23

Termination Policy 164.308(a)(3) Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section.
Addressable Standard

24

Access Authorization 164.308(a)(4) Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms.
Addressable Standard

25

Access Establishment 164.308(a)(4) Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user’s rights of access to workstations, transactions, programs, or processes.
and Modification
Addressable Standard

26

Security Reminders 164.308(a)(5) Implement periodic reminders of security and information safety best practices.
Addressable Standard

27

Protection from 164.308(a)(5) Implement Procedures for guarding against, detecting, and reporting malicious software.
Malicious Software
Addressable Standard

28

Log-in Monitoring 164.308(a)(5) Implement Procedures for monitoring and reporting log-in attempts and discrepancies.
Addressable Standard

29

Password Management 164.308(a)(5) Implement Procedures for creating, changing, and safeguarding appropriate passwords.
Addressable Standard

30

Security Incident Policy 164.308(a)(6) Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes.
Required Standard 164.400 to
164.414

31

Data Backup Policy 164.308(a)(7) Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events.
Required Standard

32

Disaster Recovery Policy 164.308(a)(7) Establish (and implement as needed) procedures to restore any loss of data.
Required Standard

33

Emergency Mode 164.308(a)(7) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.
Operation Policy
Required Standard

34

Testing and Revision 164.308(a)(7) Implement procedures for periodic testing and revision of contingency and emergency plans.
Policy
Addressable Standard

35

Applications and Data 164.308(a)(7) Assess the relative criticality of specific applications and data in support of other contingency plan components.
Criticality Analysis
Addressable Standard

36

Evaluation Policy 164.308(a)(8) Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart.
Required Standard

37

Business Associates Policy 164.308(b)(1) CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded.
Required Standard 164.41
164.502(e)
164.504(e)

38

Contingency Operations Policy 164.310(a)(1-2) Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency.
Addressable Standard

39

Facility Security Policy 164.310(a)(1-2) Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Addressable Standard

40

Access Control and 164.310(a)(1-2) Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.
Validation Policy
Addressable Standard

41

Maintenance Records 164.310(a)(1-2) Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.).
Addressable Standard

42

Workstation Use 164.310(b-c) Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI.
Required Standard

43

Workstation Security 164.310(b-c) Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Required Standard

44

Media Disposal & Disposition 164.310(d)(1-2) Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
Required Standard

45

Media Re-use 164.310(d)(1-2) Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
Required Standard

46

Hardware & Media 164.310(d)(1-2) Maintain records of the movements of hardware and electronic media, and any person responsible therefore.
Accountability
Addressable Standard

47

Data Backup and Storage 164.310(d)(1-2) The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup.
Addressable Standard 164.308(a)(7)

48

Unique User Identification 164.306 Assign a unique name and/or number for identifying and tracking user identity.
Required Standard 164.312(a)(1-2)

49

Emergency Access Policy 164.104 Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
Required Standard 164.306
164.312(a)(1)

50

Automatic Logoff 164.306 Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Addressable Standard 164.312(a)(1-2)

51

Encryption and Decryption 164.312(a)(1-2) Implement an appropriate mechanism to encrypt and decrypt ePHI.
Addressable Standard

52

Audit Controls 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Required Standard

53

Integrity Controls Policy 164.312(c)(1-2) Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
Addressable Standard

54

Person or Entity 164.312(d) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
Authentication
Required Standard

55

Transmission Security Policy 164.312(e)(1) Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Addressable Standard

56

Mobile Device Policy 164.302-164.314 Governs the use in an entity of mobile devices that can access, use, transmit, or store ePHI.
Optional Policy

 

Classify Data:

  1. Email, financial, employee files – every year
  2. Public Data, on website – every three years
  3. Sensitive Client Data, ePHI, PCI is protected data.  Review every six months, for security and potential security incidences and review all transactions associated with that data.

Business Associate Agreement must meet the criteria of the HITECH Act, review policies, contract language, and develop your own agreement.

Every Six Months Review

  • Transaction Law
  • Access Law