HIPAA Security Regulatory Compliance Assessments
Since the Security Rules were not required for two years after the original (and most visible) requirements of HIPAA, the efforts of most Physicians & Hospitals in implementing and coming into compliance with HIPAA did not address the Security provisions.
- Do you have up-to-date compliance documentation for HIPAA Security Rule?
- Do you have a complete and detailed understanding of the IT controls and compliance status of any third party that has access to electronically personal health information for your patients?
- Have you established policies and technologies for encrypting your data in place, as well as in transit?
- Have you had independent 3-party review of your IT security or HIPAA Security Rule compliance sometime during the last 3 years?
What’s changed – why is action needed now?
- Increased Enforcement – On February 17, 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law as part of the stimulus package (American Recovery and Reinvestment Act). The Act is complex and contains numerous provisions, some of which are designed to incent physicians and hospitals to upgrade their computer systems and implement electronic medical records systems. Other important provisions of the ACT require health care providers to store and exchange information electronically, and transfer responsibility for enforcement of HIPAA Privacy and Security Standards from Health and Human Services (HHS) department, to the Office of Civil Rights. And, most relevant to this discussion, funding was provided to beef up the enforcement of HIPAA Privacy & Security Rule compliance.
- Protections available for “reasonable efforts” – On August 19, 2009, Health & Human Services issued new rules related to “breach notifications”. These regulations were implemented in part due to potential overlap of the Federal Trade Commission’s requirements that apply to vendors of personal health care records that are not otherwise covered by HIPAA. One provision provides clarification and protection to covered entities that have taken reasonable efforts to secure data:
“Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.”
- Enforcement rules cast a wider net – On August 25, 2009 the FTC issued enforcement warnings indicating the new rules were effective September 24th, 2009, however they will “refrain from enforcement action for breaches discovered before February 22, 2010. The new rules cast a wider net, applying to entities that in the past have not necessarily been regulated for their use, storage, or retention of electronic health information such as non-profits, educational institutions, charities, and third-party vendors including those that provide billing services, and data back-up and storage services.Therefore all health care entities should review and update their compliance documentation related to the HIPAA security rules, especially those related to Data Storage and Transmission, and Systems Security and Recovery.
Unless the answer is “Yes” to all four of these questions, you may be at risk of being non-compliant with HIPAA and/or FTC regulations, and your risk of loss of ePHI may be higher than you realize.
Click here to download a list of engagement offerings.