Who needs to be concerned with HIPAA? Obviously, health care providers, health care clearing houses and health care plans are at the top of the list. However, many other types of organizations are not yet aware that they are considered an entity covered by HIPAA. The below organizations that are included under HIPAA’s definition of a “covered entity” (and are thus required to comply with the law) comprise of the following:
• Indemnity insurers
• Health maintenance organizations
• Any organization that transmits health care claims
• Any organization that transmits health care payment and remittance advice
• Any organization involved with the coordination of health benefits
• Any organization that determines health care claim status
• Any organization that administers enrollment and disenrollment in a health plan
• Any organization that determines and administers eligibility for a health plan
• Any organization that administers health plan premium payments
• Any organization that administers referral certification and authorization
• Any organization that administers first report of injury or health claims attachments
• Billing agents that handle the above activities on behalf of other covered entities
Reaching HIPAA compliance represents a huge challenge to many companies. Although the absence of technological specifics regarding how organizations need to go about securing their records may make HIPAA compliance easier in some ways. In other ways, it will be more difficult for covered entities to understand whether they are in compliance.
One measure to be taken, which is universally understood, is that covered entities must carefully establish security policies and procedures (including business continuity and disaster recovery plans) and document why they chose certain tactics and technologies to secure their systems.
Any organization that does not display due diligence in starting this process will be in noncompliance. As a word of warning, experts predict the government will finger a number of non-complying organizations to be “the poster children for HIPAA compliance.” Failure to comply can result in civil penalties and/or criminal penalties up to $250,000 and up to 10 years in prison.
HIPAA is not only a technology/information security issue; it’s a policy, procedure, and culture change. Change brings opportunity, and HIPAA represents an opportunity for all professionals involved with medical records, not just medical records managers at hospitals, to increase their value to the organization by playing a key role in ensuring HIPAA compliance. A good place to start, experts recommend, is to conduct an overall organizational risk assessment to identify gaps in your current confidentiality and security practices.
The privacy requirement is where much of the media attention has focused, due in part to the overall increase in the level of knowledge that the public has attained over the past few years with regard to privacy. The privacy rules dictate that patient-identifiable information, called “protected health information” (PHI), must be secured. This mostly involves obtaining explicit patient consent to use PHI for the purposes of providing health care, seeking payment for such, as well as requiring patient authorization for any other use of PHI, such as research or marketing.
The main goal of the privacy rule is to put an end to the laxity with which paper-based medical documents are treated – haphazardly passed from person to person, copied, left out in the open, and sometimes lost.
In order to reach compliance for the HIPPA security rule, covered entities must take specific steps to protect the integrity of the health information and prevent unauthorized breaches of privacy. A breach can occur when data is lost or destroyed by accident, intentionally stolen, or sent to the wrong party by accident. Security measures are described as either physical (controlled access to records, including storage facilities), administrative policies or technological (encryption of electronic data and use of digital signatures to authenticate users logging into a computer system).
The security requirement is where disaster recovery professionals are most likely to be called on to lend their expertise to the compliance effort, as HIPAA contains strong requirements regarding disaster recovery and business continuity planning. It is therefore essential that all healthcare agencies launch the disaster recovery and business continuity planning program in a professional and straightforward manner. Section §§ 142.308 (a)(3) of the Security Standard requires that covered entities, the aforementioned health plans, health care providers, and health care clearinghouses, draft a business continuity/contingency plan, defined in the proposed regulation as “a routinely updated plan for responding to a system emergency, that includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.”
One element of the overall contingency plan is a disaster recovery plan, which must contain a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. The plan must allow a covered entity to re-create, in the throes of a disaster such as a fire, the entire infrastructure necessary to guarantee information availability.
It’s not all about HIPAA compliance, however, its good business sense. During the course of developing a good disaster recovery and business continuity plan, you are likely to come up with some good information and data needed for high level business strategy decisions, such as determining and prioritizing all your organization’s critical business applications.
To state it as simply as possible, the first step in disaster recovery and business continuity planning is records protection. The safeguarding of vital and irreplaceable non-electronic documents is absolutely crucial for HIPAA compliance.
Some potential approaches for protection of vital records include: onsite fire-rated vault, safe or file cabinet, offsite storage at another location of the organization, and storage at a vendor that specializes in offsite vital records storage. Most companies employ various combinations of the above approaches. However, you will always have vital records onsite at some point, and no one is able to accurately predict the precise time a business interruption will occur.
Remember, you are attempting to show potential HIPAA inspectors a “best effort” to protect your most vital information assets. As such, it is highly advisable to seek products that are tested by Underwriters’ Laboratory (UL) or other nationally known independent testing labs.
Van Carlisle became president and CEO of Fire King in 1975. Having studied criminal justice at the University of Louisville and serving six years in the Air National Guard Security Police Force, Carlisle brings a unique level of security expertise to the company.