In general HIPAA and HITECH are extensive laws that were enacted by congress to allow for changes to the practice of health care. First they were intended to help make Insurance coverage portable so patients could move between insurance companies. Second they were intended to simplify healthcare administration, they did this with the creation of the CMS1500 and the development of the NPI database and of course much more. Third they helped to ensure the privacy and security of protected health information (PHI), to ensure that it had integrity, confidentiality and availability.
We will focus on the Privacy and Security facets of the law as they are likely the most pertinent to your daily operational activities. We will teach you steps to take to secure your HIPAA protected data and the potential consequences if not HIPAA and HITECH rules are not adhered to systematically. Complying with HIPAA and securing your data under HIPAA privacy rules is essential in the digital era of modern medicine.
HIPAA and HITECH helps to ensure the protection of PHI. PHI includes all health or medical information collected in your clinic that is personally identifiable. Covered Entities, under the privacy rule, must put in place and document reasonable measures to protect and secure the PHI that they collect. Since health care is so diverse and carried out by all sizes of business, what defines a reasonable measure for one entity may not be reasonable for another. The law allows for some flexibility in defining "reseaonable measures". In general it does not define a set of specific measures that must be implemented, instead it provides a framework that allows entities to develop their own security and privacy protections in light of the specific risks that they may have.
So, with all of this variability in the application of the law you may ask, "how can I ensure that I am compliant with HIPAA?”. Well let’s discuss a general strategy that will help you to ensure the privacy and security of the PHI you collect as well as protect you from formal enforcement proceedings from the Office of Civil Rights (OCR). OCR has been empowered under the acts to enforce the privacy rules and is the reporting bureau in the case of a breach in your security or the privacy of your PHI.
The five major standards that your HIPAA policies and procedures should cover include:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Safeguards
- Policies and Procedures
This involves the people part of your privacy policies. Questions that need to be answered here include: Can my staff be trusted with the Information? Do I have the ability to give them specific Authorization to access certain data? Are they able to access only the data that is necessary for their tasks and duties? How can I ensure that they will not be able to access data after their termination?
Administrative safeguards will include policies and procedures for workforce authorization, supervision, clearance, and termination.
This involves questions about the physical risks to your PHI and may involve questions like: Is the data physically secured (Locks on Doors, Locks on computers)? Is the PHI at risk of any potential loss from fire, flood, or theft? What happens to my data when the power goes out?
Physical safeguard policies and procedures will include contingency planning, facility security assessment and plans, access control and validation procedures, device and media controls.
This involves questions about the security of your data. Are my computers password protected? How easy would it be for those passwords to be broken or discovered? If the computer is stolen is the data accessible?
Technical safeguards could include access controls, audit controls, Integrity controls, Personal Authentication.
This involves having proper processes and staff to manage the security and privacy of your PHI. Organizations should have policies and procedures that define training protocols, risk analysis, sanctions, and information system audits.
Organizational Safeguards involve covered entities having a Privacy Officer, and a Security Officer dedicated to enforcing, auditing and refining the policies and procedures of the business.
In general to stay in compliance with HIPAA and HITECH you will need to carry out an exhaustive risk analysis for your practice and define and document policies and procedures to ensure sufficient safeguards under each of the five categories discussed above. Although this may seem daunting to some of us in modern digital medicine it is a necessary task in the operation of successful integrative medicine practices, not just to maintain compliance with the law but also to provide the best service to our patients.
In the coming posts, I will layout additional information on specific strategies that can be put into play in your policies to ensure the privacy and security of your practice's PHI.
NaturaeSoft’s services can help you ensure the privacy and protection of your PHI… Find out how by clicking here.