HIPAA
Using the rise of contemporary technology, the ways that we process and retrieve information has transformed significantly. The medical area continues to be probably the most affected, and having the ability to quickly share information, the necessity to safeguard these details is continuing to grow tremendously. The U . s . States managed to maintain the requirements of its people by passing the Health care Insurance Portability and Accountability Act (HIPAA). This act basically transformed permanent medical record retrieval for doctors, lawyers, and also the law.
HIPAA safeguards every American from getting their information shared or discovered by a number of people. The deceased are safe under these hi-tech HIPAA laws and regulations. This can be a federal regulation, and each condition must adhere to the HIPAA recommendations for permanent medical record retrieval, and just have the choice of getting more protection for his or her people. HIPAA also safeguards the transfer and discussing of medical documents regardless if they’re moved via hi-tech techniques or even more organic means.
Probably the most important regions of permanent medical record retrieval these HIPAA laws and regulations safeguard may be the discovery of those documents by 3rd party sources. Sometimes, to be able to proceed inside a court situation or hearing, medical records are necessary to prove truth or for use as evidence. HIPAA hi-tech retrieval in addition to old-fashioned techniques, when it comes to discovery, is taught in same rules and recommendations, and also the fines for breaking these rules are severe and may exceed on the million dollars.
Lawyers who require to gain access to medical records for court proceedings need to use special rules and methods to acquire this info. To be able to get these HIPAA records via hi-tech or any other means, generally an attorney or judge must complete a HIPAA authorization form. This type guarantees that anybody trying permanent medical record retrieval has got the proper information, intention, in addition to permission to gain access to the medical records. This documentation also requires legal need, like a subpoena to guarantee the safety from the person’s records which are being retrieved. Although the discovery of medical documentation is impacted by HIPAA enforcement, whether stated discovery happens via hi-tech means or otherwise, it will help keep patients protected from harm as well as assists in maintaining privacy.
HIPAA is one thing that could make existence a bit more difficult, specifically for individuals in legal professions, however it has additionally made existence much safer. Using the rise from the modern day, privacy is really a indisputable fact that many don’t realize any longer. However, with the introduction of HIPAA, medical records retrieval is becoming private and safe again to ensure that people from the U . s . States can relaxation comfortable knowing their details are safe. Ensuring the invention of those records is controlled too simply increases the security and safety that HIPAA offers patients, and understanding how to retrieve these details should you have to can also be essential for staying away from fines and ensuring details are secure and guarded.
Late Farrah Fawcett, a well known television and film actress, was in the news few years ago, when it was discovered that data pertaining to her health issues was leaked to the newspapers. It can be said that a celebrity is always at the center of attention and is susceptible to the act of compromising confidential information broke a federal law. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to avoid unauthorized access to confidential data, and this is what all business related to the medical field must comply with.
Who recognizes HIPAA?
If you are employed by an organization that gathers health data from individuals, you are termed as a ‘covered entity’, and you are expected to adhere to this law. Covered entities encompass the following:
- Healthcare centers and clinics.
- Insurance players in the health and medical space.
- Private practitioners – includes general and specialized practice doctors and others.
- Psychiatrists and Psychologists
- Medical billing outlets and collection companies.
Whether you employ a few or many people, safeguarding patient data is of paramount importance.
Records secured by HIPAA
Patients going to a healthcare center or a clinic must be guaranteed of discretion. It is necessary that confidential records are not compromised and cannot be accessed by people who do not have the required authority. Medical data secured by these federal laws encompass, but are not restricted to:
- Prescription data.
- Medical history logs.
- Appointment records.
- Phone and voicemail data.
- Insurance documents.
- Billing records.
Complying with HIPAA requirements
Old and obsolete patient records must be destroyed to ensure the patient’s privacy. A company adhering to HIPAA rules must be ready to exterminate documents in accordance with policies. Any and all documents have to be shredded thoroughly as just dumping papers cannot assure security – any person with a malicious intent could go through the garbage and obtain important personal information. Retaining the services of a professional is a sure way to ensure your safety also.
Adhering to the HIPAA pertinent to your business will provide you with the peace of mind needed to run without any hitches.
Making computer networks safe is the core part of the HIPAA plan to totally transform the national patent health data into an electronic image, which can be then effortlessly shared by health care providers, insurance providers and administrators. Because of this, the health care agencies can handle the record keeping process more proficiently and quickly and render efficient service to the patients. As the current computer system is vulnerable to hacking and virus attacks, the vital records are thus at a risk of getting stolen or being wiped out. To safeguard the patient health data, there are network security regulations, which should be adhered, to enable the establishment to attain HIPAA Compliance.
The 2 important parts of HIPAA that pertains to computer network security are:
- Administrative Safeguards:
To attain HIPAA compliance the provider must recognize, protect and intimate any malevolent software program in the system. The compromised emails are carriers of worms, virus and Trojans, and there has to be a safeguard measure to stop the unwanted breach. For managing the computer systems network efficiently, it is important to keep a watch by installing specialized security measures as noted below:
Gateway and virus blocking mechanism should be in place.
The safeguard system should be able to carry out, deep packet penetration, inspect and provision for relevant web filtering mechanisms to the network. Signature systems that refresh at every half hour should be used as they are the premier defense shields against rapidly moving worms.
Security Measures
For a computer network to be HIPAA compliant, it is essential for the organization to draft a security system, which gives authority to the key people or software systems to access the confidential health information.
Appropriate encryption mechanisms should be in place to code the confidential health information when in transit to stop unauthorized access or intercept. The sending of information must be encrypted in a high security encryption and must be received by authorized users who must use the decryption code to decrypt the message.
Ultimately, it is necessary for all parties concerned in the healthcare system, like health service providers, insurance providers, transcription service providers, labs, internet service providers, hospitals and billing services to cement a relation of trust to ensure confidentiality of patient information shared between them. This can be achieved through a linkage of computers that stick to HIPAA rules and regulations to achieve a safe and protected transmission, of private health information on a public platform.
In today’s modern, busy and high tech world, most of the personal business of people is conducted online. This includes accessing information regarding private health records etc. Healthcare providers have no choice but to grant access to this private health information or face losing their customers.
HIPAA also commonly known as The Health Insurance Portability and Accountability Act, requires employment of stringent measures by the health care providers, to assure the patient that his/her personal health records are protected from the unauthorized access over the internet.
HIPAA when enacted required health-providing entities to assure the confidentiality of patient information in the following ways:
- Responsibility for security was to be assigned to a person or organization.
- Assessment of risks to find out any security or privacy threats to medical information.
- Establishment of a program to address physical, personnel and technical security controls.
- Certification of effectiveness of the employed security controls.
- Creating procedures, guidelines and policies to use computing devices, and ensuring that the suitable mechanisms are there to allow or ban access to an individual’s status.
- Implementation of controls on access which include user-based access, encryption, role-based access, context-based access and auditing control mechanisms, authentication of data, and authentication of entity.
Security is the key
HIPAA provides for both civil and criminal action against the violations and violators, as data access and security is top priority for a healthcare firm. To assure HIPAA compliance, security features that should be included in online documents are:
- Secure web server – A server should be running secure socket layers. It is the bare minimum required.
- Encrypted database – All data has to be encrypted. Modern Encryption Software is available that encrypts all the data sent between two computer and any device on the internet.
- Session timeout – This assures that private data is not left unattended and is only viewed by unauthorized personnel.
- Server monitoring – monitoring of the web server is required to detect break-in attempts and hacking attempts.
- Secure access control – Apart from user id and password, for additional security, strong passwords and smart cards should be used.
- Regular security audits – all security precautions need to be checked for their state of readines and proper working. For this regular audits should be carried out.
- Personnel – Qualified personnel familiar with HIPPA requirements should be employees for system maintenance.
United States Health Insurance Portability and Accountability Act is HIPAA and includes HIPAA I and HIPAA II. HIPAA I deals with health insurance rules related to people who have lost or changed their jobs. The HIPAA II is to develop a standard process that needs to be adhered to by the health providers. HIPAA II is most important and popular and sets the rules for safeguarding patient health data. This helps to safeguard the patients and the health insurance organisations from the malpractices because of fake identity.
HIPAA is implementing strict rules and regulations to deal with health insurance related malpractices like the sale of important health data of patients to lawyers to earn money. Recently action has been taken with the aim to make sharing of people’s electronic health records.
In the month of November 2009, 8 federal agencies sanctioned a notice approval form. This form makes compulsory for the health agencies to reveal to the customers the procedure through which their data is obtained and disbursed. This helps the customer to take an effective decision to avail or reject the service.
The new rule empowers the government to initiate legal proceedings against the defaulter for not adhering to HIPAA compliance, taking criminal action and levying hefty fines.
The last rule of Federal Trade Commission (FTC) in accordance with American Recovery and Reinvestment Act makes it compulsory for the health agencies to inform any violation of patient health record to the customer. The media should be informed if there is breach of 500 or more patient health data. The rule also specifies the time, matter and procedure of conveying the breach.
The Recovery act makes it compulsory for HHS or Department of Health and Human Services to carry out a research on the stakeholders that dispense health services but are not under the umbrella of the HIPAA. The intent is to draw up norms on how such parties can dispense their healthcare services simultaneously safeguarding important patient information.
Ultimately, newer and more stringent rules point towards the exercises of the regulatory bodies to put an end to malpractices that are inherent to the process despite security measures that are in place. The only intention is to ensure the electronic sharing of confidential health records safe and resistant to tampering. This will plug the losses that the state and the people incur on account of fraudulent claims.
In the coming years, millions and millions of patients’ data will be compiled into Electronic Health Record (EHR) systems. For this, the federal government has created a level of confidentiality for Protected Healthcare Information (PHI) and is imposing fines for breaches of HIPAA. HITECH or Health Information Technology for Economic and Clinical Health Act of 2009 allocated about $19 billion dollars to assist physicians and health care centers to accept this transition. $17 billion would be allocated to healthcare centers and physicians who utilize this system.
However, transfer of personal and private data from paper documents that utilizes direct faxes to an electronic process that relies on unsecure email will naturally raise security concerns. Data in transportation via non-secure channels can be breached with relative ease and could be used with a malicious intent. Patients are predictably worried that best practices might not be observed to safeguard their confidential data.
To be abreast of these updates in Health Information Technology (HIT), health centers and physicians are required to find and utilize safe and secure computers and email programs that are compliant with both HITECH and HIPAA standards. Just as different treatments are available for different ailments, a wide range of options exists regarding security and email applications. It can be confusing for health centers and doctors to go through such vast options and find the one that is suited to their needs and budgets.
Some organizations have implemented an economical system that can be scaled to suit your requirements. Whether it is a tiny clinic or a large healthcare center, systems can be tailored to meet the demands of their patients. There are some applications which obliterate the need for on-site IT resources or maintenance and work on most known web browser or merge with outlook email accounts too.
HITECH medical data software is anticipated to be completely implemented by 2014. With this, the US will move a step closer to the world standard of health care data storage. It will be on the same level as other first-world countries who have their data securely stored a conveniently used.
If you are a covered entity under HIPAA, then you must also make sure that your email system has the required safeguards and encryptions to ensure safe transfer of medical data.
HIPAA was introduced in 1996 by Congress with the aim to ensure national standards for privacy and to safe guard personal health data. On April 14, 2003, the US Department of Health and Human Services passed The Privacy Rule.
HIPAA compliance needs specific attention and effort, if any failure to adhere involves high risk of reputation damage, fines starting from $100 to $250,000 and imprisonment varying from 1 year to 10 years. Different various HIPAA management efforts are required for a practice with various different systems for patient timetable, electronic and medical files and billing. This article shows an honest way to HIPAA management adherence and is a summary of main important HIPAA terminology, principles, and requisites to assist the practitioner to adhere to HIPAA compliance through medical billing and software retailers.
The last 10 years of the 19th century saw a rapid increase of digital technology in health care, with lesser expenditure and much better service quality, also resulted in new and higher risks for accidental revelation of private health information.
Protected Health Information (PHI)
The main requirement of HIPAA is PHI, which covers any aspect that can be required to identify a person and any information or data exchanged or disclosed to other health care providers in any medium viz. digital, verbal, recorded, faxed, printed or written).
Information that is required to recognize a person includes:
- Name
- Health plan numbers
- Zip code not less than 3 digits, telephone and fax numbers, email
- License numbers
- Social security numbers
- Dates (excluding year)
- Medical record numbers
- Photographs
Details shared with other healthcare firms or clearinghouses are:
- Data about treatment and billing
- Notes made by nurses and physicians
HIPAA principles
HIPAA aims to ensure smooth running of PHI for healthcare operations with the patient’s approval; however, bans unauthorized PHI for any other reasons. Healthcare procedure involves payment, competence review training, treatment, care quality assessment, accreditation, auditing, legal procedures and insurance rating,
HIPAA encourages unbiased information practices and sets guidelines for those who have access to PHI to protect it.
Unbiased information practices means that a person should be permitted to
- Access to PHI,
- Rectifying mistakes and completeness,
- Know who else are using PHI.
Protecting PHI means that the subject who possess PHI should
- be responsible for self use and disclosure
- have a legal source to counter violations
Many health vendors are joining the HITECH bandwagon and are offering their own products and services. All these, products and services, are aimed at protecting against any breaches covered under HIPAA. There has been enough communication within the industry to show that it does not properly distinguish between the two kinds of breaches, i.e., privacy breaches and security breaches.
A privacy breach is said to have been perpetuated, when a properly authenticated and authorized user looks into a patient’s record without any particular need or requirement to do so. For example, a doctor looking at a record of a patient to review information, if he is not treating that person at the moment, is termed as privacy breach.
This privacy breach has to be disclosed under the HITECH regulations. The same doctor, however, cannot be booked for privacy breach when he pulls up the records a week later, as he is treating that patient at that particular time.
A security breach occurs when there is a successful hacking carried out into a system, disks or unencrypted laptops and computers containing identifiable patient details. This also implies a privacy breach, as it is an unauthorized access to private data. But strangely enough, a privacy breach cannot be termed as a security breach.
Many experts conclude that protection against security breaches is a prevention of privacy breaches. Prevention of security breaches can be easily accomplished through a two-factor authentication at the data workstation, locking terminals to prevent improper and unauthorized usage of data; other authentication approaches for clinical users should also be included. The latter is an important way to prevent privacy breaches, but is the more difficult of the two to achieve.
The introduction of HITECH regulations has extended the bite of the HIPAA framework. Healthcare organizations are now required, under law, to disclose a patients privacy breach to the patient who has been effected. In certain cases, a notification of the same has to be made to the secretary of Health and Human Services. This much talked about HIPAA and HITECH compliance and the application and desktop virtualization can therefore be an effective means of protecting against security breaches.
Safety and privacy of you medical records are extremely important as they allow our doctors to provide correct treatment to us and avoid misdiagnosis of our illnesses. Records must also be stored in a safe and secure manner, so that they don’t fall in the wrong hands. Most people want to keep their medical history under wraps and HIPAA has made it mandatory to all those people who handle such records to keep them private.
HIPAA has given a number of rights to an individual regarding his or her medical records. The individual can demand to see his medical records from his doctor or the hospital where he is getting the treatment. The individual has the right to demand the records without providing any specific reasons for it and the doctor or hospital must give him a copy of his records within 30 days of the request.
But the institution or doctor can impose a small fee in return of the provided records. If the patient wants them to post the records, then he will have to pay for the postage and handling charges. Even though, you will get most of the information in your medical records, but in some rare cases, your doctor may hold some information from you. This is done in the cases where the doctor feels that disclosing a particular piece of information may hurt you or people around you or endanger your health in any way.
Even though with the introduction of electronic medical records and strict rules, the chance of error in medical records has decreased considerably, but still, you can get any mistakes in your medical records rectified. Similarly, if there is an omission of certain information from your medical records, then it’s the duty of the hospital or doctor who issued the records to correct it and provide the updated version of records free of cost.
Even if your doctor or hospital doesn’t think that there is a mistake in your medical records, you can still ask them to register your disagreement in your medical records. This will inform your future doctors about the conflict of opinions between you and your doctor.
Our medical history is extremely private to us and it should stay that way. Thankfully, HIPAA has provided many rules which ensure that nobody can abuse our privacy.
As per rules of HIPAA, every individual whose working in a covered entity and handles medical records (electronic and on papers) of patients, must undergo HIPAA certification training. This training must be provided a qualified instructor.
This training is provided by independent training centers. Companies hire professionals from these centers to train and educate their employees and high level management about every aspect of HIPAA. Once the training is completed, the training institutes provides a HIPAA certification to every employee who has completed the training successfully. These certifications are used to prove the skills of the employees during OCR inspections.
HIPPA training can be done in many different manners. The employees can choose a one-on-one instructor led training method, classroom training, online training, virtual classroom training or on-site training. Different companies choose different methods to provide this training.
Covered entities like hospitals, health insurance providers, healthcare clearing houses etc. are required by the law to provide training to their employees. Failure to comply with this law might end-up in a fine for them. Most covered entities prefer to provide group training instead of one-on-one training as it is much more time consuming. In big companies, one-on-one training may also cost too much and disrupt the company’s budget.
On-site training is also more preferred as compared to classroom training as the employees can get first hand idea about how to manage the records and other formalities in their own work place. This also saves a lot of time of the employees and they don’t need to waste time in commuting to and from the training center.
But classroom training also has a number of benefits. It provides a more focused training as students only concentrate on their training and are not interrupted by constant phone calls and emails at their workstations. Classroom training also facilitates better interaction between students, which facilitates a better understanding about training. Visual and hearing aid can also be provided in the classroom training to help the students.
If you are planning to arrange for HIPAA training sessions for yourself or your firm, make sure that the training provider you choose is capable in handling your firm. Every company has different requirements in terms of situation, time period and method of training. Training provider must be capable in this.
HIPAA training is an important aspect of the HIPAA law and should not be taken lightly.
All the professionals and workers working in the health care industry in America are required to comply with HIPAA standards. This federal law ensures that patients who have a pre-existing condition get the right insurance coverage and are not excluded on these grounds by their health care provider.
This law also prevents malpractice by insurance companies and doctors and also provides a savings account for medical purposes. This law was in response to the demand of health industry to shift to electronic transaction standards to help hospitals and other concerns cut cost and increase the security of the medical records of patients.
Thus HHS or Department of Health and Human Services created HIPAA standards to control and regulate administrative and financial transaction in medical field. They have created codes for health plans, hospitals, retail pharmacies, nursing homes etc. to ensure security and privacy of identifiable information in medical records of individual.
These codes were standardized so that the multiple versions of electronic HCFA 1500 and UB-92 can be replaced. These standards were adopted back in April 2007 and are applicable to all kinds of health plans, clearing houses, hospitals etc. These standards streamline billing and make the inquiries for eligibility and referral authorizations much easier.
The required transactions codes are:
- Health plan identifiers
- Country codes
- Employer identification number
- Provider taxonomy codes
Based on these standards, a transaction through HHS HIPAA is performed in following manner:
- A person is enrolled into a health plan and pays the premium on it.
- His eligibility is verified.
- His referral is authorized electronically or via phone or fax.
- A health care claim is made by the insured person.
- Bills and documents are submitted to prove the claim
- The claims are checked and verified.
- If there is no dispute, then the claim is remitted to the patient.
All the covered entities under are required to conduct electronic transactions for everything, including eligibility confirmation and sending claims through a clearinghouse.
HIPAA standards have made the task of managing and clearing health insurance claims really fast. It has also reduced the chances of human error or delay in delivery as all the data is now transferred electronically.
HIPAA or Health Insurance Portability and Accountability Act were created to give many rights to an individual regarding his medical records and private identifiable information.
HIPAA HHS is abbreviation for Health and Human Services (HHS) which is US Government’s Cabinet department. This department was created to protect health of every American and provide necessary human services to them. The motto of HHS is “Improving the health, safety, and well-being of America”. HHS was earlier called the Department of Health, Education, and Welfare, but was later renamed as Health and Human Service when its education branch was split in 1979 and was transferred to United States Department of Education.
This department was proposed in 1923, but could not be implemented at that time. Thirty years in line, Reorganization Plan Number 1 enacted this proposal. In 1979, HHS was made the supervisor of Social Security Administration agencies and it constitutes Family Support Administration and Public Health Service.
But in the year 1995, Social Security Administration was also split from HHS and turned into an independent entity.
HIPAA HHS is governed by Secretary of Health and Human Service. The Secretary is appointed with the advice and consent of Senate, by the orders of the President. Criminal activities which come under HIPAA HHS are investigated by the Office of Inspector General. The Office of Inspector General of HIPAA HHS investigates health care fraud of millions of dollars every year. Its multi-agency forces also cover all 50 States in America, plus District of Columbia which identify and investigate the people who deliberately avoid paying child support and prosecute them. Child Support Recovery Act makes it obligatory for parents to pay Child Support.
In 2003, HIPAA HSS published the final rule that had some modifications to the some rules which were published in 1998. The final rules of HHS focused on three concepts which were derived from Administrative Simplification language. The three concepts were:
- In order to cover every aspect of security, the standard should be coordinated and comprehensive.
- The standard should be easy enough to be implemented by all covered entities, regardless how big or small they are.
- The standard should be technologically flexible, so that future technologies can be easily adapted to them.
HIPAA Safety Rule creates a system for Patient Safety Organizations (PSOs) that collects and analyzes data received from medical care providers and checks any medical errors in them. This is done to increase patient safety and quality health care in US. HIPAA safety rule provides patient safety work product (PSWP) to ensure fair usage of the information.
PSWP is the data (1) developed or accumulated by health care providers to send to a PSO that has been enlisted for Healthcare Research and Quality and is recorded in the patient safety evaluation system of the health care provider; (2) created by a PSO to conduct activities relating to patient safety; or (3) that identifies deliberations and the fact of a safety evaluation system for patients.
PSWP is a completely confidential and should be disclosed in only a handful of situations. This product should be held as confidential protected, no matter who is holding it.
If a person things that a covered entity under HIPAA or an individual has violated the safety and privacy rules and have disclosed PSWP, he or she can file an HIPAA complaint. This complaint can be filed with OCR who is responsible to investigate any filed HIPAA complaints and enforce all provisions of privacy and safety rule.
The OCR will investigate and provide all possible technical assistant to the complainant and help them get and informal resolution by persuading the violators to comply with the norms voluntarily. If OCR can’t get an informal resolution, the Secretary can ask the violator to pay a fine of up to $11,000 for every unlawful disclosure.
Following requirements should be fulfilled, in order to file an HIPAA complaint:
- It should be in writing and can be sent through email, mail or fax.
- The person who is the subject of complaint should be named in the complaint and all the alleged violations of HIPAA done should be described thoroughly.
- The complaints should filed in 6 months or 180 days following the realization of the violation. But in case there is a good reason, OCR can extend this time limit.
Anyone can file an HIPAA complaint as soon as he realizes that his or her privacy has been violated by any covered entity.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created in United States of America in 1996. The bill was sponsored by Senator Nancy Kassebaum and Senator Edward Kennedy. HIPAA is divided in two titles:
- Title I
- Title II
Title I provides protection to employees and their families who lose their job and consequently, their healthcare. Title II provides guidelines to establish standards for the protection of national identifiers healthcare plans, employers and other providers and also the electronic healthcare transactions. Title II provides provisions for administration simplification which address privacy for medical data concerning the patients. These standards are created to make the health care system more efficient and effective by promoting Electronic Data Interchange.
The transmission of data between two organizations through electronic means is known as Electronic data interchange. Electronic Data Interchange is used to transfer medical data from one computer to another. EDI includes a number of standards, set up by the authorities.
Title II also defines a number of offenses and penalties related to health care. The Title sets up programs to control frauds, violations and abuse in health care system. According to this Title the Health and Human Services department must create rules to increase the efficiency in health care system and provide a fair and effective service to individuals.
HIPAA came into existence, after years’ of complaints by patients regarding misuse of their health records. The United States of America’s Government realized the need to create guidelines for the usage of medical records by health care officials, hospitals, insurance companies etc.
Before the introduction of HIPAA, individuals did not have any rights to promptly access their medical records and procuring them could take weeks as there was no standard procedure to record and store medical records. The law also ensures that an individual continues to have healthcare even after losing his or her job, for a considerable period of time. This gives the individual and his/her family protection until he/she finds a new job.
All in all, Health insurance portability and accountability act of 1996 has transformed the way medical records are used, disclosed and stored by covered entities.
HIPAA Security Rule was completed in 2003 and institutions were required to be in compliance with it by April 2005. Unlike privacy rule, which pertains to all the information that’s protected under HIPAA, security rule is deals with electronically stored information of patients’ health records.
There are three main kinds of security rules:
- Administrative Safeguards – These include the following steps
- Covered entities must have privacy procedures and a privacy officer.
- All the procedures must identify the employees who have the access to electronic protected health information (EPHI). This access should be restricted to just those employees who need it to perform their job productively.
- Authorization, termination establishment and modification must be defined extensively
- Training to handle PHI must be given to employees who will be performing the administrative functions.
- Institutes which outsource their processes must ensure that the third-party also complies with HIPAA requirements.
- All entities must put a contingency plan in place for emergencies. All the data must have a backup and there should also be disaster recovery procedures.
- The entities should conduct internal audits to identify potential violations.
- Technical Safeguards – These safeguards enable covered entities to secure all the communication regarding PHI and control the access of people to computer systems containing PHI. Following are the requirements of these safeguards:
-
- The systems which contain PHI should be protected and secured from any type of intrusions. Information that goes through an open network must possess some kind of encryption.
- The data should not be changed or deleted by any unauthorized person or body.
- While integrating data, methods like data corroboration should be used. All the covered entities should identify other entities to which the data or information is communicated.
- All the HIPAA practices by covered entities should be documented and must be made available to government.
- Information technology documentation should include record of every configuration setting of the network.
- Physical Safeguards – These safeguards control physical access and protect the data against illegal access. Following are the requirements of these safeguards:
- Introduction or removal of software and computer hardware should be controlled. The equipment must be disposed only after ensuring that no protected data falls in wrong hands.
- Covered entities should control and monitor the access to computers and other systems that contain health information.
- Facility security plans, visitors, records, etc. all should be monitored.
- The entities should create policies to ensure right usage of workstations.