HIPAA & HITECH
“The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.” Department of Health and Human Services (www.HHS.gov)
Information technology is radically transforming the healthcare industry. Electronic health records (EHR) now enable greater access to patient records and facilitate sharing of information among providers, payers and patients themselves. But with broader access, more centralized data storage, and confidential information sent over networks, there is an increased risk of privacy breach through data leakage, theft, loss, or cyber-attack.
The Federal government, specifically the Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) and the Center for Medicare and Medicaid Services (CMS) addressed the new security challenges in the HITECH Act, the HIPAA Omnibus Rule, and the EHR Meaningful Use Incentive Program. The Omnibus Rule extends existing HIPAA regulations and strengthened enforcement provisions, including increases in potential civil and criminal penalties. The EHR Meaningful Use Incentive Program also requires specific security measures – eligible hospitals and other providers must conduct a HIPAA Security Risk Analysis before they can attest to completing each stage of meaningful use.
In summary, two things are clear. First, the healthcare industry’s migration to EHR will enable providers to deliver better care more efficiently. Second, IT security will become a critical success factor in every health organization’s future. Everyone stands to gain in this prodigious shift and no one can afford to lose.
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process for EPs.
HIPAA Security Rule — §45 CFR 164.308 Administrative Safeguards
(a) A covered entity must, in accordance with §164.306:
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
HIPAA Security Rule — Administrative Safeguards (45 CFR 164.308(a)(8))
(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
Call us to schedule an IT Security Risk Assessment for HIPAA to see if your facility is in compliance with HIPAA’s rules and regulations. We care about HIPAA, do you?