Why Is This?
Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rules, and the scale of these regulations is staggering. Not only does ePHI have to be safeguarded, but any ePHI transmitted outside of an organization´s network, including what’s stored in the Cloud, must be compliant.
With the proliferation and widespread adoption of cloud computing, HIPAA covered entities, and their business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of ePHI. The Department of Health and Human Services has responded with requirements here.
However, with cloud computing evolving all the time, the HHS doesn’t endorse any specific technologies, so a lot is left to interpretation.
The same rules apply as if you were sharing ePHI in paper format. Plus, it’s up to you to conduct due diligence on your Business Associates, including your Cloud Services Provider (CSP). This presents a nightmare scenario for many healthcare practices and organizations. You must have a Business Associate Agreement for them and any other organization that stores or processes your ePHI. And, it’s their responsibility to notify you if a breach occurs
This Can Be Nightmare Of Unprecedented Proportions For Small Healthcare Practices
One of the concerning issues with HIPAA compliance today is that the Security Rule was published three years before cloud-based web services were launched, and 4 years before the first Apple iPhone was released.
So, to thoroughly identify issues relating to electronic records and HIPAA compliance you must conduct an accurate assessment of today’s more complex potential risks and vulnerabilities.
This is a huge task for healthcare organizations with many pitfalls along the way.
We Start By Conducting A HIPAA Risk Analysis For You And Your Business Associates
HIPAA requires that both you and your business associates conduct an IT risk assessment. This will ensure you all are compliant with HIPAA’s technical standards. It will reveal areas where your organization’s ePHI could be at risk.
The risk management process must include:
To ensure compliance with HIPAA regulations, you and your business associates (including your IT provider) must:
Once risks have been detected and documented, we’ll assess your organization´s (and your business associates’) current IT security policies and practices. We’ll determine if certain risks must be addressed right away, and what measures can be implemented in the future.
The HIPAA Security Rule mandates that all covered entities and their business associates must implement reoccurring HIPAA security awareness/training programs for their employees. This is to ensure ePHI is protected through administrative safeguards.
The following 4 components must be addressed:
Don’t worry. The HIPAA Experts at TOTLCOM can do this for you.
A HIPAA BAA is a contract between you and your business associates. It’s mandatory and must be signed by all of your business associates verifying that they agree to protect ePHI and comply with all HIPAA Security Rules.
Now that your CSPs are involved, (and you likely change them from time to time) this can be a tiresome task. Let the HIPAA Experts at TOTLCOM do this for you as well.
Encryption isn’t required under the HIPAA Security Rule. However, if a risk assessment determines that encryption is an appropriate safeguard, then encryption or an acceptable alternative safeguard must be implemented.
3 Benefits of Encryption Include:
To ensure compliance with the HIPAA Omnibus Final Rule and the HIPAA Security Rule, you must implement a Security Incident Response Plan (SIRP). A SIRP outlines the steps to take in the event of an incident or security breach. You are required to maintain documentation for your risk assessment in order to prove that no breaches have occurred.
The director of the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) reports that organizations with an SIRP in place will experience less severe or no monetary penalties in the event of a security breach. However, refusal to act or correct issues related to a breach will result in increased monetary penalties.
It’s important to keep your SIRP updated and ensure that all employees recognize and report potential data breaches immediately.
Your SIRP Should:
Report any and all information regarding the incident, including what happened, who was involved, when it happened and when it was discovered. Document all aspects of the incident, especially who was affected.
Take necessary steps to stop the incident, such as disabling access to a lost smartphone or preventing further access to ePHI.
A risk assessment should be performed to determine whether ePHI has been disclosed, if so what was disclosed, and who must be notified.
Breaches that affect over 500 individuals require a significantly increased number of notifications, with notifications sent to individual patients, HHS, and possibly the local media.
Increase your security in an attempt to reduce the risk of further incidences. The purpose of The SIRP is to ensure that the incident isn’t repeated in the future.
The process to comply with HIPAA and HITECH is long and complex. And with new technologies being adopted all the time, it will get more complex. There’s no doubt that you need a HIPAA & HITECH Expert in Northern California. TOTLCOM, Inc. is that expert.
For more information, or to schedule a HIPAA Risk Assessment for you or your business associations, contact us at (800) 300-5500 or complete our contact form on the Web.