FAQ: What is the impact of HIPAA on IT operations?

Table of contents

[IMAGE]  What is HIPAA? Table of Contents

HIPAA is the Health Insurance Portability and Accountability Act of 1996. There are two sections in HIPAA:

The first, Title I, provides protections for the health insurance coverage of people who lose or change jobs. HIPAA made changes to three areas in the continuation coverage rules applicable to group health plans under the Consolidated Omnibus Budget Reconciliation Act of 1985 -- or COBRA -- each of which are described more extensively by the US Department of Labor at DOL.gov.

Title II is where organizations feel the impact of HIPAA on IT operations. It includes a section that deals with the standardization of healthcare-related information systems for electronic data interchange . These mandatory regulations all required extensive changes to the way that health providers conduct business.

Compliance wi...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

th HIPAA is administered by the U.S. Department of Health and Human Services (HHS), which publishes requirements and sets deadlines for organizations to comply. HHS provides up-to-date information about HIPAA at HHS.gov.

[IMAGE]  What is generally required by HIPAA? Table of Contents

Compliance with HIPAA requires organizations to implement safeguards and security standards when electronically storing and transmitting personal health information. HIPAA mandates standardized formats for all patient health, administrative and financial data. HIPAA also requires a unique identifier (essentially an ID number) for each healthcare entity, including individuals, employers, health plans and healthcare providers.

As the legislation was drafted, two additional rules were added to protect the privacy and safety of individuals' personal health information (PHI). These are called the Privacy Rule and the Security Rule. The Privacy Rule is the first comprehensive federal protection for the privacy of PHI, according to the National Institutes of Health (NIH). More information on the Privacy Rule can be found at PrivacyRuleandResearch.NIH.gov. The Centers for Disease Control and Prevention also offers guidance on the Privacy Rule and public health.

The Security Rule describes best practices organizations must adopt to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). The Security Rule contains three types of standards: administrative, physical and technical. These standards are wide-ranging and require the involvement of a broad mix of people, processes and technology for full compliance.

HIPAA specifically requires that public companies or those that handle personal health information monitor or retain audit trails. To meet this requirement, event log management software (ELMS) is used to monitor change management and prepare for compliance audits at enterprises. ELMS is a key tool for IT administrators who must demonstrate to executives that an organization is prepared for a compliance audit.

Although wireless devices are not detailed in HIPAA's security rule, they must be viewed in the entire system for electronically storing and transmitting data.

Many IT departments find value in a third-party assessment of HIPAA compliance. The URAC (formerly the Utilization Review Accreditation Commission), the largest accrediting body for healthcare, will certify that a healthcare organization's operations are in compliance with HIPAA standards. The URAC provides an IT department with documentation and evidence of due diligence that support an organization's overall risk management efforts. As Robert N. Mitchell wrote for AdvanceWeb.com, the URAC has reported progress on HIPAA programs.

KEY BRIEFINGS:

[IMAGE] No good way to measure HIPAA compliance
It's been years since HIPAA took effect. But for many IT pros in the healthcare sector, measuring actual compliance is still tricky.

[IMAGE] What's the best strategy to catch up on HIPAA compliance quickly?
Learn how to build a good compliance program for HIPAA in order to protect patient information and avoid fines and penalties.

[IMAGE] HIPAA privacy records and guidelines: Building secure systems
Learn how to achieve compliance with HIPAA certification and how to avoid and fix risks with password security, privacy regulations, records and guidelines.

[IMAGE] Reading between the HIPAA guidelines
HIPAA legislation explains what needs to be done to achieve compliance, but it fails to spell out how. Learn how to stay HIPAA compliant when sending work overseas.

[IMAGE] Maintaining HIPAA compliance
It's been several years since covered entities were first required to comply with HIPAA. Learn how you can ensure your customers' ongoing compliance in this Ask the Expert Q&A.

[IMAGE]  Who is affected by HIPAA compliance? Table of Contents

The Security Rule applies to healthcare organizations that create, receive, maintain or transmit ePHI, including:

• Healthcare providers: Providers of medical or other health services or suppliers who transmit any electronic health information.
• Health plans: Individual or group plans, including employer-sponsored health plans, Medicare and Medicaid programs.
• Healthcare clearinghouses: Public or private entities that process healthcare transactions from a standard format to a nonstandard format or vice versa.
• Medicare prescription drug card sponsors: Any entity that offers an endorsed discount drug program under the Medicare Modernization Act.

As a result of the financial and legal penalties that noncompliance imposes, corporate executives have pushed financial and IT departments toward compliance validation. In the years since HIPAA's introduction, healthcare organizations have developed a clearer picture of what practices will best protect themselves and patient information.

KEY BRIEFINGS:

[IMAGE] Lake Forest Hospital's Rx for HIPAA compliance
Learn how merging networks helped one medical facility with HIPAA compliance requirements.

[IMAGE] March to HIPAA: Bitter pill or best prescription?
SearchSecurity.com interviewed IT, security and compliance professionals across the United States over a two-month period to learn more about their progress.

[IMAGE] HIPAA Compliance Guide
Value-added resellers and security consultants can help healthcare practitioners comply with HIPAA by educating small and medium-sized businesses (SMBs) during product sales and by implementing risk analysis.

[IMAGE] HIPAA causes data security problems for small businesses
If your local dentist isn't complying with HIPAA's security rules, he's not alone. Experts say most doctors' offices aren't getting it.

[IMAGE] One way to avoid HIPAA headaches
Research showed many SMBs avoided HIPAA compliance "like the plague" in the years immediately after the act's passage. One community health care provider says he found a cure.

[IMAGE]  What is the role of IT in HIPAA compliance? Table of Contents

Compliance is now a deeply embedded aspect of corporate IT culture. Why? HIPAA requires that the privacy of health records be protected, wherever they reside or whenever they are moved. That means the impact of HIPAA can be felt by nearly every aspect of IT operations, including messaging, storage, virtualization and even networking, so long as electronic PHI (ePHI) records are stored within or transferred over them. In turn, IT must be able to produce evidence of the security of these systems for compliance audits.

Healthcare organizations must be able to demonstrate that they have standardized mechanisms for the security and confidentiality of all healthcare-related data. From an IT perspective, there are several general guidelines that entities must follow:

• Ensure the confidentiality, integrity and availability of all ePHI, including the protection of patient privacy by encrypting medical records.
• Protect against reasonably anticipated threats or hazards to the ePHI the entity creates, receives, maintains or transmits.
• Deliver visibility, control and detailed auditing of data transfer.
• Protect against reasonably anticipated uses or disclosures of ePHI, including preventing the loss of confidential medical records via removable devices.
• Ensure that the organization's workforce complies with HIPAA and minimizes the threat of data being stolen for financial gain.
• Review security measures as needed to ensure reasonable and appropriate protection of ePHI.

Many enterprise IT shops use Control Objectives for Information and related Technology (COBIT) as a reference framework for this work. COBIT is an open standard that defines requirements for the control and security of sensitive data. According to WhatIs.com's definition for COBIT, the standard "consists of an executive summary, management guidelines, framework, control objectives, implementation tool set and audit guidelines. Extensive support is provided, including a list of critical success factors for measuring security program effectiveness and benchmarks for auditing purposes."

The IT departments of all companies that handle PHI must be aware of the key requirements of HIPAA, including log management, backups and the security of electronic communications. IT departments also approach HIPAA compliance through PHI flow analysis, training, policy and procedure refinement, risk analysis and self-assessment.

The impact of HIPAA can also be felt on Web 2.0 technologies like blogs, wikis and social networking. Such platforms are introducing all-new compliance headaches, as gigabytes of data are generated through messaging and sharing. If it pertains to private health records, enterprise IT professionals must prepare for the inevitable visit by a HIPAA compliance auditor looking for log files and security holes. Increasingly, compliance officers are using event log management software to track key moments where data enters or exits an enterprise, like email systems or the addition or departure of employees with access to sensitive financial data.

KEY BRIEFINGS:

[IMAGE] Keeping up with IT Compliance
Learn how to achieve the right balance among file storage, email management and other compliance-related tasks with this e-book.

[IMAGE] Perfect HIPAA security impossible, experts say
Two years after HIPAA security rules took effect, IT pros in the healthcare sector found that constant security improvements are necessary for compliance.

[IMAGE] Getting started with HIPAA security compliance
Chapter 13 from Healthcare Information Systems provides an overview of HIPAA's Security Rule, including a definition of covered entities -- organizations that are required to comply. Consultants and resellers who are new to HIPAA will find this PDF a helpful primer.

[IMAGE] HIPAA security and Lotus Notes Domino
Learn how HIPAA changes will affect Lotus Notes Domino security.

[IMAGE]  What are the penalties for noncompliance? Table of Contents

The consequences for noncompliance with HIPAA regulations can be substantial. The severity of the penalty varies with the infraction; both civil and criminal charges may be levied by the Office for Civil Rights (OCR). The criminal penalties for violating the HIPAA privacy standards can be found in 42 USC 1320d-6 (HIPAA Sec. 1177).

It states that:

Shall be punished as provided below:

When it comes to IT operations, compliance with HIPAA has historically been accomplished as part of more generalized security preparations. Healthcare entities generally received attention only when an individual or organization made a complaint. As Kate Norton wrote for SearchSecurity.com in 2007:

In 2009, however, HIPAA privacy regulations have teeth. As Randy Nash points out in a recent tip for SearchSecurity.com, the HHS has levied the first penalties against a healthcare agency.

KEY BRIEFINGS

[IMAGE] Rebecca Herold, a frequent contributor to TechTarget sites on compliance-related issues and resident editor at Realtime-ITCompliance.com, has already blogged about two organizations that have been sanctioned this year. In one case, CVS must pay $2.25 million and improve its information security practices.

[IMAGE]  Answers to frequently asked HIPAA questions Table of Contents

All answers are provided by security management expert Mike Rothman.

[IMAGE] Is a lack of employee privacy a HIPAA violation?
Insufficient employee privacy for those who handle Medicare and Medicaid claims can result in a HIPAA violation. Learn how to keep this data safe and keep your organization HIPAA compliant.

[IMAGE] As the nursing QI, do I have the right to patient information under HIPAA?
Under HIPAA's guidelines, it can be hard to tell who should have access to what information. So who makes the call?

[IMAGE] Is it against HIPAA regulations to permanently store sensitive information?
Rothman examines the issue and brings up other issues to keep in mind.

[IMAGE] Is it a violation of HIPAA to collect consumer Social Security numbers?
Rothman tackles the question, and unveils how to handle employees who disregard corporate policies.

[IMAGE] Will an off-site employee exit procedure violate HIPAA regulations?
Rothman discusses if it is a HIPAA violation to discuss clients or handle business matters in a public environment.

[IMAGE] Is it against HIPAA regulations to display client names?
Rothman discusses the terms of HIPAA -- specifically if it is a violation of the act to publicly display client names.

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor