Don’t be afraid of HIPAA & HITECH!
Don’t be afraid of HIPAA & HITECH? Of course it’s easy to say that if you aren’t the person knee deep in interpreting the rules and regulations and building out the infrastructure of a solution. The recent OrboGraph White Paper, “HIPAA/HITECH Compliance, Resiliency and Security” simplifies the concepts of following and complying with these rules.
When you look at HIPAA and HITECH initially, it’s critical to start with a high level perspective. With that in mind, HIPAA is pretty much two primary rules!
- HIPAA Privacy Rule
- A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
- The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. This rule applies to health plans, clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- HIPAA Security Rule
- The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
- The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Protected Health Information (PHI) is health information about a patient created or received by healthcare providers and health plans.
And from HIPAA, HITECH was born… (or spawned, depending on how you look at it!)
HITECH: The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009. It is designed to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information.
The three critical areas of HIPAA/HITECH which will refer to systems include:
- Administrative Safeguards
- Physical Safeguards
- Logical Safeguards
You’ll have to read this condensed paper to find out more, but the one that surprised me was that there is no “HIPAA Certification”. Each company must create their own policies & procedures and demonstrated compliance to manage their own liability. Audits must also be completed to ensure the policies & procedures are in place and enforced to meet HIPAA requirements. But don’t think it’s a total walk in the park! The Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
So as a vendor, provider or financial institution providing medical lockbox services, it’s important to know that if you understand the high level requirements and some of the nuances of HIPAA/HITECH, you don’t need to fear compliance! But beware of the vendor or institution that says they are compliant but have limited controls. They are the ones who will ultimately “feel the pain” of the enforcement.
OrboGraph white paper available at http://www.orbograph.com/orbograph-hipaa-hitech-compliance-resiliency-and-security.htm.