McKinney Texas Attorney HIPAA Omnibus Privacy/Security Rule
HIPAA is the federal medical privacy and security law governing protected health information. It is important to understand that 46 states also have laws governing protected health information. Many state laws are more restrictive than HIPAA.
Penalties for Business Associates for violations of HIPAA can be as high as $1.5 Million per year, and can include prison time for the most serious criminal offenses.
There are two components to HIPAA protection, the privacy component found in 45 CFR 165 et seq. and the security component found in 42 CFR
Burden of Proof for HIPAA is on the covered entity to prove they have notified all the people affected by a breach. Must prove the event was not a breach.
McKinney Texas Attorney Lee Ann Torrans
We Have Answers for YOUR HIPAA Audit
- Auditors have the potential to review our data center.
- Auditors review physical security, logical security, your policies and procedures.
- Video logs, and access logs will be reviewed.
- We mitigate the security issues surrounding your backup and disaster recovery issues.
- We can assist with confirming backup and recovery was not a part of the breach.
- Physical Compliance:
HROC Compliance
Business Associate Includes Subcontractors
Any company or individual that is exposed to, handles, or works with the data in which is classified as protected health information including medical records is a “Business Associate” of the medical entities they work for.
Subcontractors of “Business Associates” must comply with HIPAA requirements precisely as the Business Associate.
You can segregate your PHI component of business with a strong security program for exclusive PHI data. PHI must be guarded physically, technically and on an employee by employee basis.
Typically a CE can audit your security and privacy component for your PHI data.
Fundamentally, you should begin with a review of your existing security and privacy program to take on health care clients.
What are HIPAA Business Associates required to do?
- Comply with HIPAA’s Security Rule – Implement specific policies & procedures; and implement physical, administrative, and technical safeguards to protect medical data.
- Follow HIPAA’s Privacy Rule – Protect medical data from misuse; and follow the terms of new or existing Business Associate contracts.
- Train All Employees on HIPAA and the Business Associate Requirements – Employees must be trained to provide the strongest protections to medical data. It is important that your training be employee specific. There should not be one training for all. Training must address the specific employee’s access to data while addressing policies and procedures associated therewith.
- Provide “Breach Notifications” if Medical Data is Compromised or Lost – Business Associates must promptly notify their medical entity partners – and in some cases, patients – if medical data in the Business Associates possession is compromised or lost.
Policies and Procedures Mandatory HIPAA Compliance
HIPAA compliance requires that each business associate of a covered entity together with their subcontractors have in place Policies and Procedures.
The purpose of Policies and Procedures are to “translate” HIPAA’s legal requirements and restrictions into guidance your workforce can understand.
Test Your Policies and Procedures Mandatory
Testing of your Policies and Procedures is mandatory. The purpose of testing is to evaluate whether HIPAA protections of protected health care information is functionally understandable to the members of your workforce which includes volunteers and contractors in addition to employees.
HIPAA Policies and Procedures are Flexible and Scalable
Mandatory: Policies and Procedures are mandatory for all Business Associates and their subcontractors. It is possible that you are a Business Associate or subcontractor of a covered entity. It is incumbent upon each organization to engage in a process of due diligence to determine whether your company is governed by HIPAA.
Flexible: There is no one policy fits all documents. Policies and Procedures are intended to be flexible and scalable, so that BAs can create P&Ps that are appropriate for their needs.
Expandable: A smaller Business Associate like an individual contract coder will require simpler and narrower Policies and Procedures than a billing firm or collection agency. Large and small BAs must have the same minimum set of P&Ps, with length and complexity expanding with the scope of the Business Associate’s duties.
HIPAA Policies Suitable for Your Business
HIPAA regulations contain no specificity as length, form or format. There is no specific language designated for policies.
HIPAA regulations identify subjects or objectives that each Policy or Procedure must address.
1 |
General HIPAA | 164.104 | Covered Entities and Business Associates which inc ludes subcontractors, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity. |
Compliance Policy | 164.306 | ||
HITECH 13401 | |||
2 |
Policies & Procedures | 164.306; 164.316 | Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P documentation of modifications required |
General Requirement | 164.312(b)(1) | ||
164.530(i) | |||
3 |
Documentation Policy | 164.530(j)(1)(ii) | All P&Ps must be reduced to writing. All activities of the entity should be assessed and the P&P regarding that activity as related to PHI must be documented. |
Requirement | 164.530(j)(1)(iii) | ||
164.312(b)(2)(i) | |||
164.316 | |||
4 |
Documentation | 164.316 | Required documentation must be retained for six years from the date of creation or the date last in effect, whichever is later. |
Retention Policy | 164.530(j) | ||
Requirement | |||
5 |
Documentation Availability Policy | 164.31 | Documentation must be made available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains. |
Requirement | 164.316 | ||
164.530(j) | |||
6 |
Documentation Updates | 164.31 | Periodic review and update as required in conjunction with operational changes affecting the security of PHI. |
Requirement | 164.316 | ||
164.530(j) | |||
7 |
HHS Investigations Policy | 160.308 | Covered Entitites their BAs and BA’s subcontractors rquired to implement policies & procedures to assure compliance with HHS investigation. This includes documentation of recordkeeping. |
164.31 | |||
164.312 | |||
8 |
Breach Notification Policy | 164.400 to | Requires CEs and Bas and their subcontractors to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications. |
164.414 | |||
9 |
Assign Privacy Official Policy | 164.530(a) | CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints. |
10 |
State Law Preemption Policy | 160.201 to | State law requirements can be more rigorous than data privacy & security; HIPAA pre-empts state law but typically less forceful that State Laws. |
160.205 | |||
11 |
HIPAA Training Policy | 164.530(b) | CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed. |
12 |
PHI Uses & Disclosures Policy | 164.502 to | CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs. |
164.514 | |||
13 |
Patient Rights Policy | 164.520 to | CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs. |
164.528 | |||
14 |
Complaints Policy | 164.530(d) | CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received. |
164.530(a) | |||
15 |
Risk Management | 164.302 to | Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements. |
Process Policy | 164.318 | ||
Required | |||
16 |
Risk Analysis | 164.308(a)(1) | Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. |
Required Standard | |||
17 |
Risk Management | 164.308(a)(1) | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a). |
Required Standard | |||
18 |
Sanction Policy | 164.308(a)(1) | Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. |
Required Standard | |||
19 |
Information System | 164.308(a)(1) | Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc. |
Activity Review | |||
Required Standard | |||
20 |
Assigned Security | 164.308(a)(2) | Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps. |
Responsibility | |||
Required Standard | |||
21 |
Authorization & Supervision Policy | 164.308(a)(3) | Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed. |
Addressable Standard | |||
22 |
Workforce Clearance | 164.308(a)(3) | Implement procedures to determine that the access of a workforce member to ePHI is appropriate. |
Policy | |||
Addressable Standard | |||
23 |
Termination Policy | 164.308(a)(3) | Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section. |
Addressable Standard | |||
24 |
Access Authorization | 164.308(a)(4) | Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms. |
Addressable Standard | |||
25 |
Access Establishment | 164.308(a)(4) | Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user’s rights of access to workstations, transactions, programs, or processes. |
and Modification | |||
Addressable Standard | |||
26 |
Security Reminders | 164.308(a)(5) | Implement periodic reminders of security and information safety best practices. |
Addressable Standard | |||
27 |
Protection from | 164.308(a)(5) | Implement Procedures for guarding against, detecting, and reporting malicious software. |
Malicious Software | |||
Addressable Standard | |||
28 |
Log-in Monitoring | 164.308(a)(5) | Implement Procedures for monitoring and reporting log-in attempts and discrepancies. |
Addressable Standard | |||
29 |
Password Management | 164.308(a)(5) | Implement Procedures for creating, changing, and safeguarding appropriate passwords. |
Addressable Standard | |||
30 |
Security Incident Policy | 164.308(a)(6) | Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes. |
Required Standard | 164.400 to | ||
164.414 | |||
31 |
Data Backup Policy | 164.308(a)(7) | Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events. |
Required Standard | |||
32 |
Disaster Recovery Policy | 164.308(a)(7) | Establish (and implement as needed) procedures to restore any loss of data. |
Required Standard | |||
33 |
Emergency Mode | 164.308(a)(7) | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode. |
Operation Policy | |||
Required Standard | |||
34 |
Testing and Revision | 164.308(a)(7) | Implement procedures for periodic testing and revision of contingency and emergency plans. |
Policy | |||
Addressable Standard | |||
35 |
Applications and Data | 164.308(a)(7) | Assess the relative criticality of specific applications and data in support of other contingency plan components. |
Criticality Analysis | |||
Addressable Standard | |||
36 |
Evaluation Policy | 164.308(a)(8) | Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart. |
Required Standard | |||
37 |
Business Associates Policy | 164.308(b)(1) | CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded. |
Required Standard | 164.41 | ||
164.502(e) | |||
164.504(e) | |||
38 |
Contingency Operations Policy | 164.310(a)(1-2) | Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency. |
Addressable Standard | |||
39 |
Facility Security Policy | 164.310(a)(1-2) | Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
Addressable Standard | |||
40 |
Access Control and | 164.310(a)(1-2) | Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision. |
Validation Policy | |||
Addressable Standard | |||
41 |
Maintenance Records | 164.310(a)(1-2) | Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.). |
Addressable Standard | |||
42 |
Workstation Use | 164.310(b-c) | Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI. |
Required Standard | |||
43 |
Workstation Security | 164.310(b-c) | Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. |
Required Standard | |||
44 |
Media Disposal & Disposition | 164.310(d)(1-2) | Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. |
Required Standard | |||
45 |
Media Re-use | 164.310(d)(1-2) | Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. |
Required Standard | |||
46 |
Hardware & Media | 164.310(d)(1-2) | Maintain records of the movements of hardware and electronic media, and any person responsible therefore. |
Accountability | |||
Addressable Standard | |||
47 |
Data Backup and Storage | 164.310(d)(1-2) | The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup. |
Addressable Standard | 164.308(a)(7) | ||
48 |
Unique User Identification | 164.306 | Assign a unique name and/or number for identifying and tracking user identity. |
Required Standard | 164.312(a)(1-2) | ||
49 |
Emergency Access Policy | 164.104 | Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. |
Required Standard | 164.306 | ||
164.312(a)(1) | |||
50 |
Automatic Logoff | 164.306 | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
Addressable Standard | 164.312(a)(1-2) | ||
51 |
Encryption and Decryption | 164.312(a)(1-2) | Implement an appropriate mechanism to encrypt and decrypt ePHI. |
Addressable Standard | |||
52 |
Audit Controls | 164.312(b) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. |
Required Standard | |||
53 |
Integrity Controls Policy | 164.312(c)(1-2) | Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. |
Addressable Standard | |||
54 |
Person or Entity | 164.312(d) | Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. |
Authentication | |||
Required Standard | |||
55 |
Transmission Security Policy | 164.312(e)(1) | Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. |
Addressable Standard | |||
56 |
Mobile Device Policy | 164.302-164.314 | Governs the use in an entity of mobile devices that can access, use, transmit, or store ePHI. |
Optional Policy |
Classify Data:
- Email, financial, employee files – every year
- Public Data, on website – every three years
- Sensitive Client Data, ePHI, PCI is protected data. Review every six months, for security and potential security incidences and review all transactions associated with that data.
Business Associate Agreement must meet the criteria of the HITECH Act, review policies, contract language, and develop your own agreement.
Every Six Months Review
- Transaction Law
- Access Law