NORTHINGTON

       C o n s u l t i n g

              Risk-Advisor.com

 

 

Your Partner

in Success©

 

 

 

HIPAA - The Health Insurance Portability and Accountability Act of 1996

Home

Consulting Practice

Our Approach

Expertise

News          

Links

Biography

Brochure

Contact Us

Site Search

 

 

 

 

 

 

Learn more about common sense security

Go to our other HIPAA Links

 

HIPAA Privacy and Security

There are no defined standards as part of the HIPPA electronic information protection requirements. Therefore healthcare organizations are required to individually assess the protection of patient's personal health information. Basically, the criteria required to meet HIPAA requirements can be broken up into two broad categories: Privacy and Security. Healthcare organizations must take appropriate measures to ensure electronic and physical privacy and security.

The HIPAA 'privacy' mandate defines who is authorized to access individually identifiable Protected Health Information (PHI).  This includes a patient's name, address, social security number, description of care or payment information in paper or electronic form such as a paper file, fax, email, voice mail or computer records or even verbally discussed.  HIPAA requires the ability to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure integrity, confidentiality or availability of information. Mandatory patient notices, authorizations and rights are also defined.  Requirements are technology neutral - each organization determines the technology to achieve outcome.   The focus of the HIPAA 'security' mandate is to safeguard protected health information in regard to areas such as administrative procedures, physical and electronic safeguards and security. This requires the definition of boundaries that ascertain who and what will be covered under the mandate. In general, this includes any individually identifiable health information maintained or transmitted electronically, including overall demographics and other second level information. Also of importance is the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. 

Please  Note: HIPAA security practice recommendations can be located in found in the Federal Register, Click here to view Vol. 63, No. 155 as an Adobe PDF file.  ‘‘Recommendation 1: All organizations that handle patient identifiable health care information— regardless of size—should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information.’’ (Federal Register Vol.63 No.155/43241) "Recommendation 2: Physical Safeguards To Guard Data Integrity, Confidentiality, and Availability (Federal Register Vol.63 No.155/43241)".  The final Health Insurance Portability and Accountability Act (HIPAA) security standards became law February 20, 2003. Click here to view 45 CFR Parts 160, 162 and 164 as an Adobe PDF file.

What are Some Other Aspects of HIPAA's Requirements?

By April 14, 2003, HIPAA compliance requires that you: 1) designate someone to be the Information Privacy Officer and to have responsibility for security, 2) Implement security and privacy policies, procedures, and forms, 3) Set up training, first time and ongoing, 4) Document all assessments, implementations, and training.

HIPAA imposes new standards for information security regarding the privacy and protection of all protected health information (PHI) that can be linked to individuals. Among HIPAA requirements, one must ensure that electronic health care information is secure and confidential, create policies and procedures to establish and maintain security and privacy, comply with state requirements as well as train each employee on HIPAA mandated policies and procedures (and re-train whenever policies, procedures or regulations change) .

The U.S. Health and Human Services http://www.hhs.gov/ocr/hipaa/ provides final HIPAA regulations that affect virtually every organization in the United States, from the single physician's office to the entities that are affected include all health care providers, health plans, employers, public health authorities, hospitals, insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and even universities..  A large part of this act is focused on the secure storage and secure transmission of confidential patient data over computer networks. Privacy regulations were released in December 2000 and were made final on April 14, 2001, and will go into effect April 14, 2003. Non-compliance will carry stiff civil and criminal penalties. 

Significant Elements of Privacy Regulations

 

Designating a Privacy Officer - The final regulation retains the requirements for a privacy official and contact person. A separate privacy official and contact person is required for each defined covered entity under the regulation. The privacy official is responsible for the implementation and development of the entity’s privacy policies and procedures. Regulatory Authority 45 C.F.R. §164.530 (a)(1) Standard: personnel designations. (i) A covered entity must designate a Privacy Officer who is responsible for the development and implementation of the policies and procedures of the entity. (ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. (2) Implementation specification: personnel designations. A covered entity must document the personnel designations in paragraph (a)(1) of this section as required by paragraph (j) of this section.

 

Notice of Privacy Practices and Authorizations - There are several documents required under the federal regulations that must be implemented, these documents include: The final regulation retains the general right for individuals to receive and the covered entities to produce a notice of privacy practices; authorization forms, consent and disclosure forms, compliant procedures, business associates agreements and checklists, trading partner agreements, notice of privacy practice distribution.  Health care clearinghouses, group health plans, and self-insured group health plans must maintain a notice that meets the requirements of the regulation, and individuals who receive health benefits under a group health plan are entitled privacy notices.

 

Administrative Procedures - There are several process requirements under the federal regulations that must be implemented, these include: Physical security safeguards and evaluation;  Electronic security implementation and evaluation (for data stored); and security mechanisms (for data transmission);  Access controls and tracking, Implementation of administrative policies and procedures, Sanctions, Documentation, complaint handling, staff orientation, training and monitoring. 

 

Training Requirements - The final regulation requires covered entities to train all members of their workforce on the policies and procedures with respect to protected health information required by HIPAA, as necessary and appropriate for members of the workforce to carry out their functions within the covered entity. Covered entities are responsible for documenting that training has been provided. Initial training is required by the date that the rule becomes applicable April 14, 2003.  Training to new members of the workforce within a reasonable time after joining the entity is required. Re-training is required following material changes to the entity’s privacy policies and procedures.

 

 

 How can Northington Consulting help you with HIPAA?

Since there are no defined standards as part of the HIPPA electronic information protection and security requirements, healthcare organizations are required to individually assess their security and privacy requirements, based on which they must take suitable measures to implement electronic protection.  There can be a great deal of confusion about policies and what action needs to be taken to ensure HIPAA compliance. While most healthcare organizations are aware of general HIPAA issues, there is no single answer to the issues of electronic data security including data while in transit, as well as data in storage.  Northington Consulting can introduce your healthcare organization to HIPAA compliance solution providers to address:

•  Electronic and physical security solution providers

•  Physical security and disaster recovery

•  Protection of external electronic communications

•  Access control evaluation and auditing

•  Training - for discounts on online web-based e-learning solutions call us at: 210.860.9910

 

 

Client Approach  | Typical Engagement | Expertise | Program Management

 

 

 

 Copyright © 2004 All Rights Reserved                                                                                                                             Privacy Notice

 Northington Consulting                                                                                                                                                  Legal Notice