HIPAA Policies and Procedures
The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) sets forth, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (What is HIPAA?).
The Privacy Rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI).” These types of organizations are called “covered entities.” The Privacy Rule standards outline for covered entities individuals’ privacy rights to understand and control how their health information is used. HHS and the Office for Civil Rights (OCR) have the responsibility for implementing and enforcing the Privacy Rule with respect to compliance activities and civil money penalties. The Privacy Rule is to assure that an individuals’ health information is properly protected while allowing the individuals’ necessary health information that is needed to provide and promote quality health care, is protected. The Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
The Privacy Rule applies to health plans, healthcare clearinghouses, and to any health care provider who transmits health information in any form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
HIPAA Security Policies and Procedures for Health Care Providers
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology, such as email, does not mean a healthcare provider is a covered entity; the transmission must be in connection with a standard transaction.
The Privacy Rule covers a healthcare provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Healthcare providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care like a Healthcare Clearinghouse.
HIPAA Policies and Procedures for Business Associates and Contracts
Who needs a Business Associate Agreement? A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consultant, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.
Protected Health Information
The Privacy Rule protects all 18 fields of “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI). Individually identifiable health information is information including demographic data that relates to such personal information, such as name, address, birth date, Social Security Number, address, past medical history, etc. This type of information must be protected.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
The Security Rule defines confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Under the Security Rule, integrity means that ePHI is not altered or destroyed in an unauthorized manner. Availability means that ePHI is accessible and usable on demand by an authorized person.5
HHS recognizes that covered entities range from the smallest provider to the largest, so the Security Rule is flexible and scalable to allow covered entities to analyze their own needs for compliance policies and procedures, and implement solutions appropriate for their specific environments.
When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to ePHI.
Covered entities must review and modify their security policies to continue protecting ePHI in their ever changing environment.7
Risk Analysis and Management
- The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
- A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to ePHI;
- Implement appropriate security measures to address the risks identified in the risk analysis;
- Document the chosen security measures and, where required, the rationale for adopting those measures;
- Maintain continuous, reasonable, and appropriate security protections.
HIPAA Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluate potential risks to ePHI.
- Security Management Process. A covered entity must identify and analyze potential risks to ePHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management. The Security Rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with ePHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (ePHI).
- Access Control. A covered entity must implement technical HIPAA policies and procedures that allow only authorized persons to access electronic protected health information (ePHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
- Integrity Controls. A covered entity must implement HIPAA policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
- Business Associate Contracts. All entities a covered entity shares ePHI with shall have a Business Associate Contract that outlines how the Business Associate will handle and protect the data they receive.
HIPAA Policies and Procedures and Documentation Requirements
- A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
- Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (ePHI).
- Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply unless the state law is more stringent.
- Compliance Schedule. All covered entities, except “small health plans,” must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply
Ensure You Are Compliant
The policies and procedures above may seem like a lot of tasks and work to complete to be compliant with HHS. Here at Compliancy Group, our compliance coaches help take on these procedures with you so that you do not have to stress about a single thing. What seems like a lot of information above will be simplified for your benefit so that your compliance comes efficiently and quickly, tailored to your need. Contact us now to find out how we can help you get compliant as soon as possible.