Many health vendors are joining the HITECH bandwagon and are offering their own products and services. All these, products and services, are aimed at protecting against any breaches covered under HIPAA. There has been enough communication within the industry to show that it does not properly distinguish between the two kinds of breaches, i.e., privacy breaches and security breaches.
A privacy breach is said to have been perpetuated, when a properly authenticated and authorized user looks into a patient’s record without any particular need or requirement to do so. For example, a doctor looking at a record of a patient to review information, if he is not treating that person at the moment, is termed as privacy breach.
This privacy breach has to be disclosed under the HITECH regulations. The same doctor, however, cannot be booked for privacy breach when he pulls up the records a week later, as he is treating that patient at that particular time.
A security breach occurs when there is a successful hacking carried out into a system, disks or unencrypted laptops and computers containing identifiable patient details. This also implies a privacy breach, as it is an unauthorized access to private data. But strangely enough, a privacy breach cannot be termed as a security breach.
Many experts conclude that protection against security breaches is a prevention of privacy breaches. Prevention of security breaches can be easily accomplished through a two-factor authentication at the data workstation, locking terminals to prevent improper and unauthorized usage of data; other authentication approaches for clinical users should also be included. The latter is an important way to prevent privacy breaches, but is the more difficult of the two to achieve.
The introduction of HITECH regulations has extended the bite of the HIPAA framework. Healthcare organizations are now required, under law, to disclose a patients privacy breach to the patient who has been effected. In certain cases, a notification of the same has to be made to the secretary of Health and Human Services. This much talked about HIPAA and HITECH compliance and the application and desktop virtualization can therefore be an effective means of protecting against security breaches.
HIPAA Safety Rule creates a system for Patient Safety Organizations (PSOs) that collects and analyzes data received from medical care providers and checks any medical errors in them. This is done to increase patient safety and quality health care in US. HIPAA safety rule provides patient safety work product (PSWP) to ensure fair usage of the information.
PSWP is the data (1) developed or accumulated by health care providers to send to a PSO that has been enlisted for Healthcare Research and Quality and is recorded in the patient safety evaluation system of the health care provider; (2) created by a PSO to conduct activities relating to patient safety; or (3) that identifies deliberations and the fact of a safety evaluation system for patients.
PSWP is a completely confidential and should be disclosed in only a handful of situations. This product should be held as confidential protected, no matter who is holding it.
If a person things that a covered entity under HIPAA or an individual has violated the safety and privacy rules and have disclosed PSWP, he or she can file an HIPAA complaint. This complaint can be filed with OCR who is responsible to investigate any filed HIPAA complaints and enforce all provisions of privacy and safety rule.
The OCR will investigate and provide all possible technical assistant to the complainant and help them get and informal resolution by persuading the violators to comply with the norms voluntarily. If OCR can’t get an informal resolution, the Secretary can ask the violator to pay a fine of up to $11,000 for every unlawful disclosure.
Following requirements should be fulfilled, in order to file an HIPAA complaint:
- It should be in writing and can be sent through email, mail or fax.
- The person who is the subject of complaint should be named in the complaint and all the alleged violations of HIPAA done should be described thoroughly.
- The complaints should filed in 6 months or 180 days following the realization of the violation. But in case there is a good reason, OCR can extend this time limit.
Anyone can file an HIPAA complaint as soon as he realizes that his or her privacy has been violated by any covered entity.
HIPAA Security Rule was completed in 2003 and institutions were required to be in compliance with it by April 2005. Unlike privacy rule, which pertains to all the information that’s protected under HIPAA, security rule is deals with electronically stored information of patients’ health records.
There are three main kinds of security rules:
- Administrative Safeguards – These include the following steps
- Covered entities must have privacy procedures and a privacy officer.
- All the procedures must identify the employees who have the access to electronic protected health information (EPHI). This access should be restricted to just those employees who need it to perform their job productively.
- Authorization, termination establishment and modification must be defined extensively
- Training to handle PHI must be given to employees who will be performing the administrative functions.
- Institutes which outsource their processes must ensure that the third-party also complies with HIPAA requirements.
- All entities must put a contingency plan in place for emergencies. All the data must have a backup and there should also be disaster recovery procedures.
- The entities should conduct internal audits to identify potential violations.
- Technical Safeguards – These safeguards enable covered entities to secure all the communication regarding PHI and control the access of people to computer systems containing PHI. Following are the requirements of these safeguards:
- The systems which contain PHI should be protected and secured from any type of intrusions. Information that goes through an open network must possess some kind of encryption.
- The data should not be changed or deleted by any unauthorized person or body.
- While integrating data, methods like data corroboration should be used. All the covered entities should identify other entities to which the data or information is communicated.
- All the HIPAA practices by covered entities should be documented and must be made available to government.
- Information technology documentation should include record of every configuration setting of the network.
- Physical Safeguards – These safeguards control physical access and protect the data against illegal access. Following are the requirements of these safeguards:
- Introduction or removal of software and computer hardware should be controlled. The equipment must be disposed only after ensuring that no protected data falls in wrong hands.
- Covered entities should control and monitor the access to computers and other systems that contain health information.
- Facility security plans, visitors, records, etc. all should be monitored.
- The entities should create policies to ensure right usage of workstations.