What does that mean?
Definitions for frequently used terms & acronyms.
Business Associate (BA)
The businesses that provide services to Covered Entities that need them to have some level of access to PHI (create, receive, maintain or transmit). They may have access because they do the insurance billing or because they do the shredding of paper reports with PHI. There are many companies that offer these kinds of services such as transcription, claim processing, statement printing, shredding, legal, accounting and more. Under the HITECH changes BAs are now separately and directly liable for compliance with the Security Rule and the appropriate portions of the Privacy Rule.
Business Associate Agreement (BAA)
The legal contract required under the Privacy Rule between all CEs and BAs as well as between two BAs if a BA uses a subcontractor. The HITECH Final Rule defines BAs are considered BAs based on the work they do, not on actually having an agreement in place. An agreement must be in place but the lack of one does not remove compliance requirements.
An impermissible use or disclosure of PHI as defined in the Privacy Rule. If PHI is seen, used or accessed in a manner outside the Privacy guidelines it is considered a Breach.
Breach Notification Rule
Defines specific action that must be taken by CEs in the event of a breach. Notification must be made to the patients and HHS and, in cases involving over 500 patients, to the media. Notification information and timelines are specifically defined in the rule. Effective since September 23, 2009. Beginning with the Final Rule, all breaches are assumed to require notification to the patient unless an assessment is completed that documents there has been no specific harm to the patient due to the breach.
Non-compliance fines under HIPAA were limited to $25,000 per year per violation. HITECH fines are now limited to $1.5 Million per calendar year per violation with minimum required fines as much as $50,000 per violation.
Centers for Medicare and Medicaid Services is the division of HHS that manages all Medicare and Medicaid activities plus the Children’s Health Insurance Program.
Covered Entity (CE)
The healthcare industry entities that are required to follow the HIPAA and HITECH regulations. It includes doctors, hospitals, nursing homes, insurance companies, imaging centers and more.
Since June 2005, CEs as well as BAs and their directors, employees or officers may also be criminally liable. Criminal cases are prosecuted by the U.S. Department of Justice. A federal criminal case can be brought if it is determined that PHI is obtained or disclosed, even if you simply just know it happened. One year imprisonment and fines up to $50,000 can be levied in simple cases. If it is done under false pretenses penalties rise to $100,000 and 5 years. The penalties are $250,000 and up to 10 years in cases involving intent to sell, transfer, or use for commercial advantage, personal gain or malicious harm.
Electronic Health Records – Patient medical charts in electronic formats. The clinical information your healthcare providers keep on file originally on paper is now done with computer systems called EHRs.
The original HIPAA rules had very little enforcement included. HITECH added a whole new Enforcement Rule with serious civil and criminal penalties for non-compliance. It also requires OCR to do random audits of CEs and BAs. OCR began its Phase 2 HIPAA Audit Program in 2016 which were primarily desk audits and sought to review the policies and procedures used by CEs and BAs to meet selected standards and implementation specifications on the Privacy, Security, and Breach Notification Rules.
Final guidance and interpretations of the legal requirements of the HITECH Act that are required to be enacted. Released January 25, 2013. Effective March 26, 2013 with a grace period that ended September 23, 2013.
U.S. Department of Health & Human Services is the principal agency for protecting the health of Americans and providing essential human services to our citizens. There are many divisions and offices within HHS including Centers for Disease Control and Prevention, National Institutes of Health and the Food and Drug Administration.
Health Insurance Portability and Accountability Act of 1996 which included several sections. The primary discussions on Small Provider HIPAA relate to the Privacy Rule and Security Rule.
Health Information Technology for Economic and Clinical Health enacted as part of the American Recovery and Reinvestment Act of 2009. This act made changes to the original HIPAA provisions in the Privacy Rule plus added Enforcement requirements and a Breach Notification Rule that were never in place before 2009. The act includes many more provisions but our discussions here address only these areas.
Guidelines and interpretations of the legal requirements of the HITECH Act effective November 30, 2009. CEs and BAs were to use these guidelines while the specifics were finalized.
Refers to the rule that states when someone working on behalf of a covered entity (CE) or business associate (BA) is using or disclosing protected health information (PHI), they must make reasonable efforts to limit the PHI to the minimum amount necessary to accomplish the task.
Notice of Privacy Practices (NPP)
A document required by HIPAA that provides the person served with information about their rights under the Privacy Rule and how a CE generally uses their Protected Health Information.
Office for Civil Rights is the entity within HHS that is responsible for enforcing HIPAA among other activities including offering guidance on the rules and performing audits and investigations.
Protected Health Information – all the medical records, insurance records and billing records relating to a patient’s care. Also referred to as ePHI when speaking specifically about the electronic versions of this information. This is the information all these rules are attempting to make sure only those necessary are allowed to access it.
The portion of HIPAA that defines who, what, where and when can use or access PHI that is collected and maintained by healthcare organizations. This section includes the required HIPAA form most people recognize from signing them when they visit their healthcare providers. Effective since April 14, 2003.
Risk Analysis Content
A complete and thorough Risk Analysis requires a good bit of thought and documentation. The exercise is designed to make sure you think through:
- Every place you should be worried about protecting PHI
- Every way your protection scheme could be compromised
- Methods you currently use to protect PHI
- What things you should add or change to protect PHI
- How you will implement what you need to add or change
- How you will manage your protections and monitor that they are being followed
With that in mind, your process and documentation should include the following elements:
- The scope of the analysis must take into account all ePHI, regardless of the source or location or the way it is created, received, maintained or transmitted. No matter where or how it exists it must be included in the analysis and documented as such.
- The locations PHI data is stored, received, maintained or transmitted must be identified and documented.
- Identify and document reasonably anticipated threats to PHI and vulnerabilities if triggered or exploited by any threat would create a risk of inappropriate access to or disclosure of PHI.
- Assess and document security measures currently in place to safeguard PHI, defining whether security rule measures required by HIPAA are already in place; plus confirm they are configured, monitored and used properly.
- Document all threat and vulnerability combinations with associated likelihood that may impact confidentiality, availability and integrity of ePHI.
- Document all potential impacts associated with the exploit of the defined vulnerabilities.
- Assign risk levels or ratings for all threat and vulnerability combinations.
- Document a list of corrective actions to be performed to mitigate each risk level.
Risk Analysis Terms
- Threats – Define circumstances or events with the potential to cause problems for your business. Include human, natural and environmental threats. Think of everything from power failures and floods or fire to burglary or employee sabotage or accidents to hard drive failures on your computers. What if the country is attacked again or terrorists (foreign or domestic) attack your area; that is a potential threat in the world today. What if you come in to work and your server is off and won’t turn on or start up at all?
- Vulnerability – Define the weaknesses in your facilities, policies or information systems that could be exploited if a threat actually occurs. Group them into technical and non-technical categories. Non-technical could be things like ineffective or non-existent policies, procedures or guidelines. Technical might include holes in the information systems security or improperly implemented systems.
- Impact – Define how bad it would be if those things (mentioned above) did happen. Would it be a pain but just a bump in the road, or would it be devastating harm to your business. Would it damage your reputation or your equipment or your ability to treat patients?
- Likelihood – Now you define how likely this is to occur and cause the impact or harm you have assessed previously.
- Risk – The combination of information determined above. A very high risk item (vulnerability) would be one the is almost certain to occur (likelihood) and cause serious harm (impact) to your business. You can assign numeric values (or ranges) to define risk ratings or letter rating or simply very low to very high ratings.
- Controls – Safeguards that could be administrative, physical or technical that are put in place to control risk.
Risk Mitigation and Management
The information and documentation of your Risk Mitigation and Management plan should include the following:
- Use the Risk levels from the risk assessment report to prioritize actions that should be performed. Rank the actions from high to low priority.
- Create a list of possible controls that could be implemented to address risks identified, documenting the feasibility and effectiveness of the options.
- Review the options and document the costs of implementing these controls vs the impact of implementing or not implementing them.
- Document the decisions made based on the risk, feasibility, effectiveness and costs of the control options.
- Develop and document an implementation plan including:
- Risks and Associated Levels
- Controls to be implemented
- People responsible for the implementation
- Start Date
- Target Completion Date
- Maintenance and Monitoring Requirements of the control
Start working the plan and documenting everything that is done along the way and you have your on-going compliance in place. Remember, the documentation should be regular to show you are actually paying attention to the safeguards and making sure they are working.
The portion of HIPAA that defines the safeguards that should be in place to provide protection of PHI. The rules cover the physical buildings and offices, the networks and computer systems plus the training and rules for staff members. Effective since April 20, 2005.
A category assigned when there are compliance problems identified within an organization by HHS/OCR. Willful Neglect means a company clearly ignores their obligation to comply to HIPAA. There are two levels considered in the designation. One is that problems were corrected in a reasonable amount of time when mistakes are discovered and the other is when no changes are made. Neither designation is desirable since they define the minimum fines required by law per violation are $10,000 and $50,000, respectively.