Understanding HIPAA/HITECH Privacy and Security Rules

A stethoscope sitting on a computer keyboard.HIPAA and HITECH affect every document and piece of information a “covered entity” processes. But the rules are complex and rigid, creating multiple opportunities for mistakes. Here we try to unravel the security rules to help you make sense of it all.

What organizations need to comply with the HIPAA/HITECH laws?

  1. Covered Entities
    • Healthcare Providers include hospitals, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
    • Health Plans include health insurance companies, Health Maintenance Organizations (HMOs), company health plans, Medicare and Medicaid. Employers and schools that handle Personal Health Information (PHI) for employees and students with health plans are also included.
    • Clearinghouses process nonstandard health information to conform to data content or format standards on behalf of other organizations.
  1. Covered Entity Business Associates

A Business Associate is a vendor or subcontractor who has access to PHI. As of September 23, 2013, the Omnibus Rule made business associates directly liable for compliance with certain HIPAA requirements. Business associates include data processing firms, software companies, medical equipment service companies, document storage and shredding companies, external auditors/accountants, lawyers, translators, answering services, and more.

What is the difference between HIPAA and HITECH?

  1. The Health Information Portability and Accountability Act (HIPAA) privacy laws gave patients and health plan members the right to obtain copies of their PHI.
  2. The Health Information Technology for Economic and Clinical Health Act (HITECH) increased those rights to include the option of being provided with copies of health and medical records in electronic form if they are readily producible in that format. HITECH also prohibits the sale of PHI and receiving compensation for making treatment recommendations.

What is the Difference Between Privacy Rules and Security Rules?

  1. The HIPAA Privacy Rules is a legal set of standards protecting patients’ medical records and other PHI and address how PHI can be used and disclosed.
  2. The HIPAA Security Rules deal with the protection of Electronic PHI (ePHI) that is created, received, used, or maintained. Even though they are distinct and have a unique purpose, they are intended to work together.

How does a Covered Entity comply with the Security Rule?

  1. Implement administrative safeguards by
    • designating an executive to oversee compliance,
    • identifying who has access to patient data,
    • training staff about the privacy policy,
    • requiring outside parties to sign HIPAA compliance contracts,
    • backing up data and having an emergency plan in place,
    • performing annual data security assessments, and
    • creating a document retention and destruction plan.
  2. Implement physical safeguards to prevent physical theft by
    • limiting access to computers,
    • keeping computers secured and behind counters away from the general public,
    • restricting access to secure areas,
    • requiring visitors to sign in,
    • having a secure process when upgrading or disposing of hardware and software,
    • train staff about safe practices of securing their portable electronic devices, and
    • restricting access to sensitive documents.
  3. Implement technical safeguards to protect your networks and devices from data breaches by
    • encrypting sensitive files,
    • protecting your network with firewalls and prevention systems,
    • training staff to identify and avoid phishing scams,
    • backing up data in case of accidental deletion or changes,
    • requiring passwords for transfers to third parties, and
    • requiring periodic password changes that are strong.

To ensure your organization has safeguards in place to stay compliant with HIPAA/HITECH privacy and safety rules, ensure all your covered entity business associates are compliant. This includes shredding all documents that have reached the end of their retention period.

CI Information Management provides NAID AAA Certified shredding and destruction services to businesses throughout most of Southeastern and Central Washington state and Northeastern Oregon. For more information, please give us a call at 509-586-6090 or complete the form on this page.