HIPAA HITECH Compliance Certification

Do you process protected health information or PHI as part of your business? If so, you have likely heard of the Health Insurance Portability and Accountability Act (or HIPAA) and the Health Information Technology for Economic and Clinical Health (or HITECH) Act.   Do you know what these two acts entail, though, or why compliance with them is so important? Here are some critical details every professional should keep in mind.
HIPAA HITECH Compliance Certification

How Can BlueSteel Cybersecurity Assist Your Organization with HIPAA HITECH?

We manage all areas of HIPAA HITECH compliance as your outsourced cybersecurity department so you don’t have to.

What’s Included in our HIPAA HITECH Security Program

Our HIPAA HITECH Security Program includes everything you need to meet HIPAA HITECH’s criteria items. This includes the following:

What’s Our Track Record

How Much Does Our HIPAA HITECH Security Program Cost

HIPAA vs. HITECH: Key Differences

HIPAA and the HITECH Act are two distinct laws. HIPAA
The Health Insurance Portability and Accountability Act was passed in 1996. It was the first U.S. law to regulate the management of protected health information.

HIPAA introduced a collection of security protocols and privacy rights meant to reduce the risk of fraud and waste in the healthcare sector. The act also clarified who was required to comply with its regulations (these groups are known as “covered entities”) and how they were required to comply.
HITECH Act
The Health Information Technology for Economic and Clinical Health Act was passed 13 years after HIPAA in 2009. It was introduced as part of the American Recovery and Reinvestment Act (or ARRA) with the intent of encouraging HIPAA-covered entities to utilize electronic health records (or EHRs) to manage PHI.
 
The HITECH Act included financial incentives for four years, from 2011 to 2015, to transition to electronic health records and improve healthcare delivery. It also introduced a new set of technical security standards designed to complement and enhance HIPAA.

What Is Protected Health Information?

Protected Health Information is defined in the General HIPAA Provisions as health information that could be used to identify an individual. This information is also delivered via electronic media, maintained within electronic media, or transmitted or maintained by/with any other form or media.
 
HIPAA also describes “individually identifiable health information” as a “subset of health information,” such as demographic information, that is created or received by a healthcare provider, plan, employer, or healthcare clearinghouse (such as a billing service)

Who Does HIPAA and the HITECH Act Apply to?

HIPAA applies to hospitals, physicians, other healthcare providers, and academic medical centers that transmit claims electronically. A HIPAA-covered entity could be an individual person, an organization, or an institution.
 
The HITECH Act requires business associates of all HIPAA-covered entities to establish a business associate agreement (or BAA) with those entities. This agreement specifically states that the business associates are not to disclose PHI or ePHI (electronically protected health information) for any reason other than those permitted by HIPAA’s Privacy Rule.
 
The term “business associate” includes all organizations that perform a service for or on behalf of a HIPAA-covered entity that involves the disclosure of PHI.

The Relationship Between HITECH and HIPAA Compliance

As the healthcare landscape changed and the use of electronic health records became the norm, the HITECH Act became a natural extension of HIPAA. Since its introduction, the HITECH Act has had significant impacts on what it means for a company to be HIPAA-compliant.
 
The following are some of the most noteworthy influences:

Enhanced Security Standards for ePHI

Several aspects of HIPAA’s security standards were updated under the HITECH Act, including these:

Access to electronic health data, which must now be controlled with authentication procedures

Access to electronic health data, which must now be controlled with authentication procedures

Encryption is required for all devices that store digital health information

Encryption is required for all devices that store digital health information

Access log usage and the modification of protected data must be viewable

Access log usage and the modification of protected data must be viewable

Audit procedures must be implemented to monitor compliance

Audit procedures must be implemented to monitor compliance

Data loss risk assessments must be carried out regularly to monitor vulnerabilities and threats

Data loss risk assessments must be carried out regularly to monitor vulnerabilities and threats

Extended Privacy Rights

Businesses that process ePHI must now do or not do the following:

Provide individuals with a copy of their electronic health records if requested (as long as you have the means to share it electronically)

Must

Provide individuals with a copy of their electronic health records if requested (as long as you have the means to share it electronically)

Sell electronic protected health information for any reason

Must not

Sell electronic protected health information for any reason

Expanded Businesses That Must Comply

The HITECH Act expanded the definition of “covered entity” to include business associates and subcontractors that process PHI on behalf of a covered entity. These business associates and subcontractors must now do the following:

Follow HIPAA and HITECH privacy provisions and avoid sharing PHI unless permitted

Follow HIPAA and HITECH privacy provisions and avoid sharing PHI unless permitted

Adhere to all HIPAA and HITECH security provisions

Adhere to all HIPAA and HITECH security provisions

Pay HIPAA and HITECH fines and penalties if PHI is shared with unauthorized parties (including if a breach occurs)

Pay HIPAA and HITECH fines and penalties if PHI is shared with unauthorized parties (including if a breach occurs)

Introduced New Breach Notification Guidelines

If a data breach occurs, a covered entity (or a business associate or subcontractor) must notify affected individuals and the Secretary of the U.S. Department of Health and Human Services within 60 days.

Increased Penalty Severity

The HITECH Act includes this four-tier penalty system for noncompliance:

Introduced New Training Compliance Information

Because the HITECH Act enhances HIPAA, any new information introduced under the HITECH Act must also be included in an organization’s employee training program to ensure compliance.

Tips for HIPAA and HITECH Compliance

For an organization to be compliant with HIPAA and the HITECH Act, it must meet the following standards outlined in the HITECH Compliance Checklist:

Understand the HITECH Act

Make sure you understand the HITECH Act and why it matters to comply with data security regulations in the healthcare sector. You should be able to explain the fundamental tenets of the HITECH Act and how it impacts your organization’s data security protocols.

Identify and Classify Data That Must Be Protected

Data should be identified and classified under one of these categories:

Confidential

Confidential

Restricted

Restricted

Highly sensitive

Highly sensitive

Public

Public

Moderately sensitive

Moderately sensitive

Establish Sufficient Data Security Measures

Sufficient data security measures might include the implementation of safeguards like encryption, access controls, data backup, or disaster recovery plans. You should have a documented set of security measures customized to your organization.

Implement Physical Safeguards

Physical safeguards should include secure storage and proper physical document disposal. Access to sensitive areas should restricted, too, and physical environments should regularly be monitored for potential security risks.

Develop and Follow Privacy Policies and Security Procedures

You should create a set of documented policies and procedures featuring clear guidance to employees and stakeholders regarding their roles and responsibilities when it comes to maintaining data security.

Train Employees on HIPAA Rules and HITECH Compliance

All employees should be well-informed and able to contribute to the company’s efforts to maintain compliance and data security.

Apply Access Control Measures

Access control measures include user authentication and role-based access controls. You should implement these control measures to safeguard data privacy and integrity.

Introduce an Audit Control System

An audit control system should track and monitor sensitive data access. Implementing such a system will enhance data security and ensure HITECH compliance.

Introduce Regular HIPAA Risk Assessments

Assessments should include technical and administrative control evaluation, penetration tests, and reviews of security incident trends. These assessments will help organizations proactively address security gaps.

Secure Electronic Communications

Electronic communications should be secured with methods like encryption, email protocols, and secure file transfer protocols.

Submit Electronic Communications Security Protocol for Approval

Submitting for approval ensures your security protocols are up to par and do not have any gaps.

Ensure Data Integrity

Examples of data integrity techniques include checksums, data backup, and version control. Implement these measures to protect critical data from potential breaches.

Prepare Contingency Plans

A contingency plan outlines what you will do if a breach occurs.

Develop a Breach Notification Policy

Your breach notification policy will clarify when and how people should be alerted to a data breach.

Notify All Affected Individuals if a Data Breach Occurs

This protocol should include identifying all affected individuals, determining the appropriate method of communication, and drafting a breach notification.

Submit Breach Notification Policy for Approval

The breach notification policy should also be submitted for approval to ensure it is compliant with all HIPAA and HITECH guidelines.

Implement a Business Associate Agreement with Third-Party Entities

A Business Associate Agreement ensures all third-party organizations comply with the HITECH Act and implement appropriate security practices, mitigating the risks that come with data sharing.

Send HITECH Compliance Report to a Governing Body

A governing body must review your organization’s compliance protocols and verify that you have abided by all the guidelines and standards laid out in the HIPAA and HITECH Acts.

Who Enforces HIPAA and the HITECH Act?

Although the HITECH ACT is a federal law, it also grants state attorneys general and the Department of Health and Human Services the authority to enforce it.

Cybersecurity healthcare facilities

Ensure HIPAA and HITECH Compliance with Bluesteel

For any organization that deals with electronic protected health information, compliance with HIPAA and the HITECH Act is critical. Making sure you are compliant, especially with the latest updates, can be tricky, though.
 
Follow the guidelines shared here to begin ensuring compliance. If you need more assistance, though, reach out to our team at Bluesteel Cybersecurity.
 
We offer compliance preparation services to help you feel confident that you’ve checked every box and done everything you can to protect your business and your customers/clients.

Send us a Message

Recent posts