HIPAA Compliant Seal
Image by Kestelnon via Flickr

HIPAA Plain and Simple

How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

HIPAA compliance and how to manage your risks to healthcare assets:

HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

Resources:
CMS audit checklist
NIST guide for implementing HIPAA

Reblog this post [with Zemanta]