Is Your Healthcare Facility HIPAA-Compliant for 2020?
HIPAA, which stands for the American Health Insurance Portability and Accountability Act of 1996, is a set of rules to be followed by doctors, hospitals and other health care providers. HIPAA helps ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling and privacy. HIPAA is legislated under CFR Title 45, Subtitle A - Health and Human Services (HHS), Subchapter C - Administrative Data Standards and Related Requirements.
Any healthcare provider that electronically stores, processes or transmits medical records, medical claims, remittances, or certifications must comply with HIPAA regulations. HIPAA does not require a practice to purchase a computer-based system as it applies only to electronic medical transactions.
HIPAA requires that all patients be able access their own medical records, correct errors or omissions, and be informed how personal information is shared used. Other provisions involve notification of privacy procedures to the patient. HIPAA provisions that have led in many cases to extensive overhauling with regard to medical records and billing systems.
The Health Insurance Portability and Accountability Act (HIPAA) regulations are divided into several major standards or rules: Privacy Rule, Security Rule, Transactions and Code Sets (TCS) Rule, Unique Identifiers Rule, Breach Notification Rule, Omnibus Final Rule, and the HITECH Act.
HIPAA Privacy Rule
The HIPAA Privacy Rule is located at 45 CFR Part 160 and Part 164. The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.
The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Privacy Rule sets forth policies to protect 18 identifiers that are considered Personally Identifiable Information (PII). These are data points that can be used to identify, contact, or locate an individual. When one of these identifiers is used in conjunction with a person's healthcare information, or a payment method for used for that healthcare, it becomes Protected Health Information (PHI).
HIPAA PHI data spans electronic and printed PHI data at rest (storage), data in use (processing) and data in transit (send/receive) during the entire data lifecyle. Data lifecyle includes 1) data creation, 2) data maintenance/storage, 3) data retention, and 4) data disposal.
HIPAA Data Lifetime Encryption
HIPAA data during its lifespan should be encrypted. All computer hard drives should be NIST-certified and use AES hardware encryption with two-key access to read/write data on the hard drive. Even if data is breached, it is unusable, thus bypassing the need for a costly breach notification to be sent.
HIPAA Data Disposal/Destruction
Some healthcare entities choose to do their PHI data disposal in-house while others will outsource this to various data destruction companies that also handle other governmental agencies. For printed PHI, this means either paper burning or paper shredding. For electronic PHI (ePHI), this means data cleaning, media degaussing, and media destruction.
High-Security Paper Shredding
To meet HIPAA regulations, all HIPPA-compliant paper shredders must be designated High Security, which means they are NSA and DoD approved to produce "unreconstructible" paper segments.
Hard Disk and Electronic Media Destruction
To meet HIPAA regulations, all hard drives, solid-state drives, and removable media that will be decommissioned must first be purged, degaussed, or "destroyed" as per NSA/DoD certification for sensitive/classified information. Removable media (USB sticks, SD cards, CD/DVDs, magnetic tape, etc) are easy to destroy. There are hard disk "Destroyer" products available on the market that meet HIPPA regulations for data destruction compliance.
HIPAA Security Rule
The HIPAA Security Rule addresses the protection of protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information, and defines the defines standards, procedures and methods for protecting data with attention to how PHI is stored, accessed, and transmitted to maximize protection. More specifically, the HIPPA Security standards adresses these aspects of security:
Administrative security - assignment of security responsibility to an individual.
Physical security - required to protect electronic systems, equipment and data.
Technical security - authentication & encryption used to control access to data.
HIPAA Transactions and Code Set Rule (TCS)
Per HIPAA regulations, a Code Set is any set of codes used for encoding data elements, such as medical terms, medical concepts, medical diagnosis codes, and medical procedure codes. Code sets for medical data are required for administrative transactions under HIPAA for diagnoses, procedures, and drugs.
Medical data code sets used in the health care industry under HIPAA include coding systems for health-related problems and their manifestations; causes of injury, disease or impairment; actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments; and any substances, equipment, supplies, or other items used to perform these actions.
Specifically, the following code sets are used in HIPAA transactions:
ICD-10-CM codes - International Classification of Diseases - Clinical Modification (Diagnoses)
ICD-10-PCS codes - Procedural Classification System (In-patient Procedures)
HCPCS codes - Healthcare Common Procedure Coding System
CPT-4 codes - Current Procedural Terminology
CDT codes - Code on Dental Procedures and Nomenclature
NDC codes - National Drug Codes
Note: ICD-11 goes into effect Jan 1, 2022.
HIPAA Unique Identifiers Rule
As per CFR Title 45, PART 162-ADMINISTRATIVE REQUIREMENTS regulation, there are several unique identifiers required. The use of these identifiers will promote standardization, efficiency and consistency. The unique identifiers under HIPAA regulations are:
Standard Unique Employer Identifier (EIN)
National Provider Identifier (NPI)
Health Plan Identifier (HPID)
Unique Patient Identifier (UPI)
HIPAA Enforcement Rule
The HIPAA Enforcment Rule stems directly from the HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.
HITECH describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.
HIPAA Breach Notification Rule (BNR)
The HITECH Act introduced new requirements for the disclosure of information breaches and saw the Breach Notification Rule added to HIPAA. The HIPAA Breach Notification Rule requires covered entities and their business associates to report breaches of PHI information to affected individuals, HHS, and in some cases to the media. A breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule.
Most notifications must be provided no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.
HIPAA Final Omnibus Rule
The Omnibus Rule is not really a separate new rule for HIPAA, but rather the finalization of several Interim Final Rules (IFRs) that were already in existence that draw heavily from the HITECH Act. The HIPAA Omnibus Rule went into effect on September 23, 2013.
Compliance with the HIPAA Security Rule is a complex undertaking This checklist takes a practical approach for healthcare facilities to make relevant progress toward understanding the HIPAA Security Rule before implementing a compliance strategy.