Anyone who works in the healthcare industry knows that their organization takes steps to protect patient health information under a series of guidelines known as HIPAA.
There are several provisions to HIPAA that require organizations to use Federal guidelines to ensure digital health information is secure. Those provisions include:
- Privacy Rule
- Security Rule
- Enforcement Rule
- Omnibus Rule
These provisions guide organizations on how to maintain proper security measures to keep an individual’s identifiable health data secure. Below we explore each of these provisions a little more:
The Privacy Rule
The Privacy Rule was created to provide national standards for protecting all health information that can identify a person. This includes any medical condition, healthcare payments and any changes in healthcare. Any healthcare provider, healthcare billing center, or health plan is required to follow the Privacy Rule.
The primary goal of this rule was to protect the individual’s data as it moves from one organization to another.
The Security Rule
The Security Rule created the standard for protecting health information that is either transferred or stored electronically. This rule established various guidelines that covered entities have to have in place in order to keep the health information secured.
The Enforcement Rule
The Enforcement Rule created provisions to what happens if a covered entity violations HIPAA. It relates to both the compliance side of HIPAA and investigation procedures following a violation.
The Omnibus Rule
The Omnibus Rule strengths both the Privacy and Security Rule. The main purpose of this rule was to help implement the guidelines set by the other rules and deliver fines to covered entities that break either the Privacy Rule or Security Rule.
An important part of the Omnibus Rule is the Breach Notification Rule.
The Breach Notification Rule
The Breach Notification Rule was created to required HIPAA covered entities to report on breaches of protected health data. Breaches are any impermissible use or disclosure of the protected health data. When a covered entity discovers there has been a breach in their healthcare data, they have to take the following steps to notify the affected individuals, the Secretary and the media.
- The covered entity must notify all individuals that were affected by the data breach by either letter or email.
- If the data breach affected more than 500 individuals, the covered entity must notify the media.
- Finally, the covered entity has to notify the Secretary.
Covered entities are also required to document all forms of notification have been completed following a healthcare data breach. These organizations are also required to have policies in place in case of a data breach that train employees on preventing and handling data breaches.
The Importance of a Complete and Detailed HIPAA Security Risk Assessment and Vendor Risk Management
With more covered entities storing protected health information electronically it is important to fully understand the location of all of your organization’s healthcare data covered by the HIPAA Security Rules. This needs to be accomplished in your annual HIPAA Security Risk Assessment. If HHS investigates a data breach, they will review your risk assessment process.
If HHS determines your organization has not adequately identified all locations your healthcare data resides, your risk of higher fines will increase. Additionally, the importance of business associate agreements and the requirements of your key vendors who poses your data needs to be clearly articulated, and perhaps even audited.
It is important that your organization has a high-quality vendor risk management program in place. By outsourcing certain aspects of your operations or information processing, you have not outsourced your responsibility for protecting that information.
Sound due diligence and clear expectations of your critical service providers need to be established, documented, and validated to demonstrate you have taken the necessary steps to ensure your data is protected, regardless of if it is in your systems or your vendors.