HIPAA: Who is Affected

Here at Assured Tech Services we know health professionals in the United States are well aware of the need to stay compliant with HIPAA. The news regularly delivers reports of huge fines levied by OCR for failure to protect information properly. Not everyone, though, is fully aware of the scope of its requirements.

Mistakes, even innocent ones, can lead to serious consequences. A New Jersey psychologist was accused of violating patients' privacy because he sent unredacted bills to a collection agency. What would be a normal business practice for an automobile repair shop or a utility company may be strictly forbidden under HIPAA.

Want a personalized walk through of all HIPAA requirements for your office? Contact us at
248-243-7160 or email support@assuredtechservices.com or read on.

The requirements commonly known as HIPAA actually span two major pieces of federal legislation: The Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH updates HIPAA to take the many technological changes over those years into account. We'll follow the usual practice here and refer to their combined requirements as HIPAA.

Who needs to comply

HIPAA defines two classes of entities that need to comply with its requirements.

Covered entities are under direct jurisdiction. They include three categories: healthcare providers, health plans, and healthcare clearinghouses. The first two are more or less obvious. A clearinghouse is an organization that doesn't provide care but regularly processes and reformats health information for other organizations. The common feature of all of them is that they routinely handle protected health information (PHI).

Not everyone involved in healthcare is a covered entity. Unpaid volunteers providing assistance, for example, generally aren't. CMS provides a tool in the form of a set of questions to help organizations determine whether they are covered entities. If there's any serious doubt, the organization should get legal advice.

Business associates are businesses that handle PHI in the course of doing work for covered entities. The organizations that use them are responsible for making them comply with all requirements when they handle the information.

A business associate may use PHI only for the purposes required by its task. It isn't allowed to use it for any independent purpose, and it's responsible for safeguarding the information. If it experiences a data breach, it has to notify the provider it works for. To stay compliant, a covered entity needs a contractual guarantee that the associate will follow those requirements.

Security and privacy

Covered entities and their associates need to comply with the security rule and the privacy rule. They cover related but distinct aspects of protecting information.

The privacy rule specifies how information can be used. It forbids unauthorized disclosure of patient information, except as allowed or required by law. It also guarantees patients access to their health records. Violations include sending information to unauthorized parties, as well as negligence in keeping it confidential.

Some violations of privacy aren't obvious to the average person, such as using a collection agency without protecting patient information. Others are blatant, such as letting a reality show camera crew into a hospital without the patients' consent. That really happened.

The security rule specifies how information has to be protected. It requires "reasonable and appropriate" security measures but doesn't mandate specific ones. Certain measures are normal parts of compliance. For example, a provider isn't required as such to encrypt patient records, but it had better encrypt them or be prepared to explain why it doesn't have to.

Security includes ensuring three main aspects of electronic protected health information (ePHI):

  • Confidentiality. Safeguards on data systems need to keep information from getting into unauthorized hands.

  • Integrity. The protections need to minimize the risk that information will be improperly altered or deleted.

  • Availability. The information has to be kept available for authorized use at all times, or as close to that as reasonably possible.

Security failures can lead to privacy failures, and privacy is one of the chief motives behind the security rule. A breach of confidentiality is especially harmful. Damaged data can be repaired, and systems which are down can be brought up again, but it's effectively impossible to recall information which people with malicious motives have acquired.

A data breach, as defined under HIPAA, is a use or disclosure of information that violates the privacy rule. In most cases, it's the result of insufficient compliance with the security rule. The OCR treats breaches very seriously, especially if they affect large numbers of people.

Security isn't just a matter of technology. Human error is behind most security failures, and constant alertness is necessary to prevent mistakes. Employees with thoroughly ingrained security habits are unlikely to fall for tricks or be careless with data. All employees should get security training.

The challenge of security

Medical professionals are experts in medicine, not data management. Keeping computer systems secure is a specialty in its own right. Every network on the Internet, large or small, regularly comes under attack. The attempts range from trying to log in by guessing the password to sophisticated exploitation of software bugs. Staying ahead of those attacks is a constant effort.

Even most people in IT aren't fully up to the task. Understanding how operating systems, applications, and routers work is one thing. Knowing how to frustrate the many tricks used to break into computer systems is another. It requires specialized knowledge, as well as the ability to outguess the opponent. It's a full-time job by itself.

The special requirements imposed by HIPAA make it even more important to get it right. The breach notification rule requires prompt reporting of the discovery of any data breach to HHS and all affected individuals. If the breach was due to non-compliance, serious penalties could follow.

Assured Tech Services provides free, no commitment HIPAA audits. Periodic HIPAA security audits are part of the process of staying safe. Systems change over time, and risks can creep in without being noticed. If software isn't regularly updated, it may be vulnerable to malware attacks. Inactive accounts need to be purged, and system configurations need verification.

All organizations subject to HIPAA need professional-level security management. A well-crafted compliance plan will minimize the chance of breaches, and it will demonstrate a good-faith effort if questions arise. The risks associated with not being ready are just too high. Contact us today for more information at 248-243-7160 or email support@assuredtechservices.com.