HIPAA compliance can almost be this easy. |
No, that's not another acronym you've got to learn. It's a dismissive slur.
Really. THE TECH ASPECTS OF THIS IS NOT INSURMOUNTABLE.
These regulations ARE a lot of fairly reasonable guidelines that should ultimately put your practice, your clinic, or your hospital in much better shape. (Okay, yes, there's an abundance of governmental, "legalese" language in there too...)
AND Okay, so calling it a cake walk is possibly an overstatement. Cake walks are no-brainers: you keep getting back in line, and eventually you're going to get a cake.
With HIPAA & HITECH, you've not only got to get in line, you've got to do a little heavy lifting, a lot of homework, and a decent amount of paperwork.
So let's get to it. HERE'S WHAT WE'RE GOING TO COVER IN THE FOLLOWING ARTICLES:
1. What you've got to do
2. How to do it.
Simple.
Step 1. What's your primary I.T. goal as relates to HIPAA? 2. How to do it.
Simple.
ANSWER: PREVENT BREACHES OF Protected Health Information (PHI).
Okay, first off, how do you define the word "Breach"?
HITECH ACT, SEC. 13400. DEFINITIONS.
Read the whole act here or jump straight to the definition of breach here
In this subtitle, except as specified otherwise:
(1) BREACH.— (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
Second, how thoroughly should you work to prevent breaches?
According to the Office of Civil Rights:
Read the whole companion document here
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
and
Read the source here
HIPAA, § 164.306 (b) – Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
And oh, what is PHI again?Read the whole companion document here
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
and
Read the source here
HIPAA, § 164.306 (b) – Flexibility of approach
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
Basically, it's almost any kind information about patients that could be used to figure out who your patient is
Specifically, there are 18 pieces of data that make it up. We'll write in gross detail about that later, but here's the best explanation I've seen yet: http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/
Specifically, there are 18 pieces of data that make it up. We'll write in gross detail about that later, but here's the best explanation I've seen yet: http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include/
So, a gross summary of this 1st BIG POINT is that YOUR JOB, as a healthcare provider or vendor to healthcare vendors, is to keep the wrong people from finding out anything about your patients. SEEMS FAIR.
Now, for the zillion dollar question:
STEP 2. What steps should we take to prevent breaches of PHI (And pass an audit...)
THE SINGLE BIGGEST POINT WE CAN MAKE HERE IS THIS.....
DO A RISK ASSESSMENT.
If you're ready to read on, though, here's a simple to-do-list of things you can do to get a HUGE chunk of your HIPAA / HITECH issues out of the way & put to bed:
Sounds simple, right? Most for-profit businesses do the same stuff. It's certainly basic stuff that Turn Key Solutions, LLC has taught our clients to do since 1999.Now, for the zillion dollar question:
STEP 2. What steps should we take to prevent breaches of PHI (And pass an audit...)
THE SINGLE BIGGEST POINT WE CAN MAKE HERE IS THIS.....
DO A RISK ASSESSMENT.
If you're ready to read on, though, here's a simple to-do-list of things you can do to get a HUGE chunk of your HIPAA / HITECH issues out of the way & put to bed:
USE 164.308 implementation specs as a TO DO LIST:
¨ Do a risk analysis
o Internal Audit / Self-Assessment
¨ Risk management
o DO SOMETHING. Address Self-Assessment results.
¨ Sanction policy
o Make your employees know this is serious & get their help.
¨ Regular Information Systems activity review
o Audit, review, and improve.
¨ Procedures for Vendors, H.R. & I.T. interaction
o …including a termination policy with I.T. steps
¨ Security awareness and training
o Guard against malicious software
o Log-in monitoring
o Password management
¨ Create good contingency plans – including backups, Disaster Recovery & emergency ops
¨ Use Business Associate Agreements
So, how do you do each step?
Stay tuned!
I'll walk you through each piece of this, and a lot more, in pretty deep detail.
Need a jump start? Call me! (225) 751-4444. I'll be glad to answer your questions.
Need to back up? Here's our primer on HIPAA / HITECH
PS: Good resources:
HIPAA SECURITY SERIES, Part 2 - Security Standards: Administrative Safeguards
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf