The Health Information Portability and Accountability Act of 1996 was created to protect the privacy of patient information as well as the availability patients have to their information. It also opened the doors to continuity of care between providers by outlining the requirements through which health information needs to be shared. More information at https://www.hhs.gov/hipaa/for-professionals/index.html
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. More information can be found at https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
ePHI, or electronic Protected Health Information, is information about an individuals medical conditions or history and can be tied directly back to that person. If you are a covered entity (medical provider, health plan, etc.) then you most likely store or transmit ePHI.
If you are a covered entity in any way or manage ePHI or PHI in any way, then yes, you need to be HIPAA compliant.
Contact us for help: 844-ZEKTECK or [email protected]
Protected Health Information or PHI is information pertaining to an individuals current or historic health. Protection of the health information is required when the health information can be identified to an individual.
A BAA or Business Associate Agreement is a document the is required between a covered entity and business associate. A business associate is a vendor or partner that may also deal or participate in the exchange of health information. The business associate can be a fax company, a medical device provider, or an IT person. The BAA provides a lever of protection for the covered entity. If the business associate experiences the breach, the BAA ensures that all liability of the breach and any HIPAA violations fall on the business associate and not the covered entity. Without the BAA, the covered entity may also experience HIPAA fines when a business associate experience a violation.
HIPAA Violations are often hard to recognize and frequently aren't apparent until it is too late. It is best to be as proactive as possible in protecting PHI. Performing regular risk assessments are a great way to ensure you are remaining HIPAA compliant, which is the best way to avoid HIPAA fines.
Zekteck automates the Security Risk Assessment and will help you avoid violations. Contact us at 844-ZEKTECK or [email protected]
You can do so here:
The SRA, or Security Risk Assessment, is a process through which risk of a HIPAA violation or data breach are measured. A good SRA process or tool will give you identified risks and suggestions to correct and mitigate those risks. HHS provides a free tool here: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
The HHS SRA tool is a very lengthy and manual process. Zekteck has automated this tool and made the process incredibly easy and quick for you. Contact us at 844-Zekteck or [email protected] for more info.
- Administrative Safeguards – Administrative actions and policies and procedures (1) to manage the selection, development, implementation, and maintenance of security measures, and (2) to protect ePHI and to manage the conduct of the Covered Components’ workforce in relation to the protection of ePHI.
- Authorization (HIPAA Authorization) – a specific type of permission given by the individual to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations.
- Business Associate – Generally an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation).
- Contingency Plan (CP) – Sets out a course of action that is maintained for emergency response, backup operations, and post–disaster recovery. The purpose of the plan is to ensure availability of critical resources and facilitate the continuity of operations in an emergency. The plan includes procedures for performing backups, preparing critical facilities that can be used to facilitate continuity of critical operations in the event of an emergency and recovering from a disaster.
- Covered Entity – Covered entity means an entity that is subject to HIPAA.
- DHHS – US Department of Health and Human Services
- Disaster Recovery Plan (DRP) – The part of a Contingency Plan that documents the process to restore any loss of data and to recover computer systems if a disaster occurs (i.e., fire, vandalism, natural disaster, or System failure). The document defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process to attain the stated disaster recovery goals.
- Disclosure – The release, transfer, provision of access to, or divulging in any other manner of protected health information outside of the entity holding the information.
- Electronic Health Record An electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.
- Electronic Protected Heath Information (ePHI) is PHI in electronic form.
- Group Health Plan – means an employee welfare benefit plan (as defined in the Employee Retirement Income and Security Act of 1974 (ERISA), 29 USC 1002(1)), including insured and self–insured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that has 50 or more participants; or is administered by an entity other than the employer that established and maintains the plan.
- Health Care Operations – any of the following activities of a covered entity that relate to its covered functions (i.e., acting as a health care provider and an employer group health plan): conducting quality assessment and improvement activities; reviewing the competence or qualifications of health care professionals; underwriting (except as prohibited when involving genetic information), premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities of the entity.
- Health Plan – an individual or group plan as defined in HIPAA that provides, or pays the cost of, medical care.
- HIPAA – Health Insurance Portability and Accountability Act of 1996
- Individually Identifiable Health Information – a subset of “health information,” including demographic information, (1) that is created or received by a health care provider, health plan, employer, or health care clearinghouse; 2) that relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual; and (3) that identifies the individual, or might reasonably be used to identify the individual.
- IT Security Incident (‘Incident’) is any activity that harms or represents a serious threat to the whole or part of computer, telephone and network–based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources.
- Limited Data Set – Protected health information that excludes all of the 16 HIPAA specified direct identifiers of the individual or of relatives, employers, or household members of the individual, but retains geographic subdivisions larger than the postal address and elements of dates. Limited data sets may only be used for research, public health or for health care operations; and only with a data use agreement that limits the use of the data by the recipient.
- Minimum Necessary – refers to reasonable efforts made to limit use, disclosure, or requests for PHI to the minimum necessary to accomplish the intended purpose.
- OCR – Office of Civil Rights, the branch of the DHHS that is responsible for federal oversight of the privacy regulations.
- Physical safeguards are measures, policies, and procedures to physically protect the Covered Components’ Systems and related buildings and equipment that contain ePHI, from natural and environmental hazards and unauthorized intrusion.
- PHI – Protected Health Information
- Privacy Rule – The regulations at 45 CFR 160 and 164, which detail the requirements for complying with the standards for privacy under the administrative simplification provisions of HIPAA.
- Protected Heath Information (PHI) is any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity.
- Psychotherapy Notes – Notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
- Risk Analysis – A documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, and an estimation of the security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. Risk analysis involves determining what requires protection, what it should be protected from, and how to protect it.
- Technical safeguards are the technology, and the policy and procedures for its use that protect electronic protected health information and control access to it.
- TPO – Treatment, Payment, Health Care Operations
- Transaction – the transmission of information between two parties to carry out financial or administrative activities related to health care.
- Treatment – the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
- Use – the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that holds such information.
HIPAA Knowledge Check
What Happens When Something Is Missed?
When a HIPAA compliance regulation or requirement is missed, then a covered entity is at risk for fines from HHS. The chart below describes the criteria by which fines are estimated.
How do they know I broke the HIPAA Compliance rules?
HHS performs audits at random. Providers often think, “I’m too small to attract their attention.” However, HHS has been able to reduce the number of random audits because the number of patient complaints has dramatically increased costing small practices millions of dollars each year.
What can I do to prevent this from happening to me?
The most missed requirements of HIPAA compliance tend to be the required process and policy documentation and training. It is difficult to manage all of the aspects, rules, regulations, processes and policies without help. Zekteck’s Compliance and Security Portal is a central place for practices to manage everything needed to be compliant and secure. It can be set up in as little as 2 hours and does not require any data migration or system integrations.
*This page does not meet the requirements to be considered compliant HIPAA training.