If your organization is subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), it is recommended you review our HIPAA compliance checklist 2022 in order to ensure your organization complies with HIPAA requirements for the privacy and security of Protected Health Information (PHI). The failure to comply with HIPAA regulations can result in substantial fines being issued –
even if no breach of PHI occurs – while breaches can result in criminal charges and civil action lawsuits being filed. There are also procedures to follow with regards to reporting breaches of the HIPAA Privacy and Security Rules and issuing HIPAA breach notifications to patients. Ignorance of the HIPAA compliance requirements is not considered to be a justifiable defense against sanctions for HIPAA violations issued by the Office for Civil Rights of the Department of Health and Human
Services (OCR). The OCR will issue fines for non-compliance with HIPAA regulations regardless of whether violations are inadvertent or result from willful neglect. Our HIPAA compliance checklist has been compiled by dissecting the HIPAA Privacy and Security Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule and the HIPAA Enforcement Rule. It is important to note that the Health Information Technology for Economic and
Clinical Health (HITECH) Act 2009 also has a role to play in HIPAA IT compliance. 3 Steps To HIPAA Compliance Please see HIPAA Journal The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant. Every element of the abovementioned Rules and Acts has to be complied with in order for an organization to be HIPAA compliant. There is no hierarchy in HIPAA regulations inasmuch as one HIPAA Rule is more important than another, and each of the criteria in our HIPAA compliance checklist
has to be adhered to if your organization is to achieve full HIPAA compliance. If you are unsure as to whether your organization is subject to the HIPAA compliance guidelines, here is an initial HIPAA compliance checklist: Before discussing the elements of our HIPAA compliance checklist, it is best to answer the question What is HIPAA compliance? HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as HITECH. Typically
the question following what is HIPAA compliance is what are the HIPAA compliance requirements? That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague. This is so the HIPAA rules are equally applicable to every type of Covered Entity or Business Associate that creates, accesses, processes, or stores PHI. For the sake of clarity: A Covered Entity is a health care provider, a health plan, or a healthcare
clearing house who, in its normal activities, creates, maintains or transmits PHI. There are exceptions. Most health care providers employed by a hospital are not Covered Entities. The hospital is the Covered Entity and responsible for implementing and enforcing HIPAA compliant policies. Employers – despite maintaining health care information about their employees – are not generally Covered Entities unless they provide self-insured health cover or benefits such as an Employee Assistance
Program (EAP). In these cases they are considered to be “hybrid entities” and any unauthorized disclosure of PHI may still be considered a breach of HIPAA. A Business Associate is a person or business that provides a service to – or performs a certain function or activity for – a Covered Entity when that service, function or activity involves the Business Associate having access to PHI maintained by the Covered Entity. Examples of Business Associates
include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, etc. Before having access to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or destroyed once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance
obligations as a Covered Entity. Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule. All
risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened. Each of the HIPAA requirements is explained in further detail below. Business unsure of their obligation to comply with the HIPAA requirements should seek professional advice. The HIPAA Security Rule contains the standards
that must be applied in order to safeguard and protect electronically created, accessed, processed, or stored PHI (ePHI) when at rest and in transit. The rule applies to anybody or any system that has access to confidential patient data. In this case “access” is interpreted as having the means necessary to read, write, modify, or communicate ePHI, or any personal identifiers that could reveal the identity of an individual. There are three parts to the HIPAA Security Rule – technical
safeguards, physical safeguards and administrative safeguards – and we will address each of these in order in our HIPAA compliance checklist. The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any
breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
Physical SafeguardsThe Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA Covered Entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
Administrative SafeguardsThe Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce. The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in subsequent audit phases; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing. A HIPAA compliant risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance. The administrative safeguards include:
The difference between “required” HIPAA safeguards and “addressable” HIPAA safeguards on our HIPAA compliance checklist is that “required” HIPAA safeguards must be implemented, whereas there is a certain amount of flexibility with “addressable” HIPAA safeguards. If it is not reasonable to implement an “addressable” safeguard as it appears on the HIPAA compliance checklist, Covered Entities have the option of introducing an appropriate alternative, or not introducing the safeguard at all. That decision will depend on factors such as the entity’s risk analysis, risk mitigation strategy, and what other security measures are already in place. The decision must be documented in writing and include the factors that were considered, as well as the results of the risk assessment, on which the decision was based. HIPAA Privacy RuleThe HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities. The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary. Under the Privacy Rule, Covered Entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared. Covered entities are also advised to:
Covered Entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of PHI to a health plan (when they have paid for a procedure privately), and also the option of providing an electronic copy of healthcare records to a patient when requested. The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website. HIPAA Breach Notification RuleThe HIPAA Breach Notification Rule requires Covered Entities to notify patients when there is a breach of their PHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of PHI and issue a notice to the media if the breach affects more than five hundred patients. There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually. Breach notifications should include the following information:
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the Covered Entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach, and the actions taken so far to prevent further breaches and security incidents. HIPAA Omnibus RuleThe HIPAA Omnibus Rule was introduced to address a number of areas that had been omitted by previous updates to HIPAA. It amended definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors. Business Associates are classed as any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a Covered Entity. The term Business Associate also includes contractors, consultants, data storage companies, health information organizations, and any subcontractors engaged by Business Associates. The Omnibus Rule amends HIPAA regulations in five key areas:
Definition changes were also made to the term Business Associate, the term Workforce was amended to include employees, volunteers, and trainees, and the nature of Personally Identifiable Information that is classified as PHI was updated. Following the passage of the HIPAA Omnibus Rule, in order to be HIPAA compliant, Covered Entities must now:
HIPAA Enforcement RuleThe HIPAA Enforcement Rule governs the investigations that follow a breach of PHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of PHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
Fines are imposed per violation category and reflect the number of records exposed in a breach, the risk posed by the exposure of that data, and the level of negligence involved. Penalties can easily reach the maximum fine of $1,500,000 per year, per violation. It should also be noted that penalties for willful neglect can also lead to criminal charges being filed. Civil lawsuits for damages can also be filed by victims of a breach. The organizations most commonly subject to enforcement action are private medical practices (solo doctors or dentists, group practices, and so on), hospitals, outpatient facilities such as pain clinics or rehabilitation centers, insurance groups, and pharmacies. The most common disclosures to the HHS are:
What Should a HIPAA Risk Assessment Consist Of?Throughout the HIPAA regulations, there is a lack of guidance about what a HIPAA risk assessment should consist of. OCR explains the failure to provide a “specific risk analysis methodology” is due to Covered Entities and Business Associates being of different sizes, capabilities, and complexity. However, OCR does provide guidance on the objectives of a HIPAA risk assessment:
As mentioned above, a HIPAA risk assessment is not a one-time requirement, but a regular task necessary to ensure continued HIPAA compliance. The HIPAA risk assessment and an analysis of its findings will help organizations to comply with many other areas on our HIPAA compliance checklist, and should be reviewed regularly when changes to the workforce, work practices, or technology occur. Depending on the size, capability, and complexity of a Covered Entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely long-winded task. There are various online tools that can help organizations with the compilation of a HIPAA risk assessment; although, due to the lack of a “specific risk analysis methodology”, there is no one-size-fits-all solution. The Importance of Data EncryptionThe vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks. Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure which should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft. Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key that converts the encrypted data back to its original format. If an encrypted device is lost or stolen it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access. How to Become HIPAA CompliantMany vendors would love to develop apps, software, or services for the healthcare industry, although they are unsure how to become HIPAA compliant. While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls. Until vendors can confirm they have implemented all the appropriate safeguards to protect ePHI at rest and in transit, and have policies and procedures in place to prevent and detect unauthorized disclosures, their products and services cannot be used by HIPAA Covered Entities. So, what is the easiest way to become HIPAA compliant? You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates the relevant technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules. Get anything wrong and fail to safeguard ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS’ Office for Civil Rights, state attorneys general, and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can therefore be daunting, although the potential benefits for software vendors of moving into the lucrative healthcare market are considerable. To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification. HIPAA IT ComplianceHIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements on your HIPAA IT compliance checklist are covered. Risk assessment and management is a key consideration for HIPAA IT security. One way to help ensure risks are identified and appropriate controls are implemented as part of your HIPAA IT compliance program is to adopt the NIST Cybersecurity Framework. The NIST Cybersecurity Framework will help prevent data breaches, and detect and respond to attacks in a HIPAA compliant manner when attacks do occur. HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure its confidentiality, integrity, and availability. One element of the HIPAA compliance checklist that is often low down on the priority list is monitoring ePHI access logs regularly. Inappropriate accessing of ePHI by healthcare employees is common, yet many Covered Entities fail to conduct regular audits and inappropriate access can continue for months or sometimes years before it is discovered. HIPAA Compliance Checklist for ITIn addition to the rules and regulations that appear on our HIPAA compliance checklist originating from acts of legislation, there are several mechanisms that IT departments can implement to increase the security of ePHI. Potential lapses in security due to the use of personal mobile devices in the workplace can be eliminated by the use of a secure messaging solution. Secure messaging solutions allow authorized personnel to communicate ePHI – and send attachments containing ePHI – via encrypted text messages that comply with the physical, technical, and administrative HIPAA safeguards. Email is another area in which potential lapses in security exist. Emails containing ePHI that are sent beyond an internal firewalled server should be encrypted. It should also be considered that emails containing ePHI are part of a patient´s medical record and should therefore be archived securely in an encrypted format for a minimum of six years. As medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter. Additional HIPAA IT RequirementsAs well as the technological regulations mentioned above, there are many miscellaneous HIPAA IT compliance requirements that are easy to overlook – for example the facility access rules within the physical safeguards of the Security Rule. These HIPAA IT compliance requirements may inadvertently be discounted if the IT Department has no responsibility for the physical security of its servers, and it will be the HIPAA Security Officer´s role to establish responsibility. 3 Steps To HIPAA Compliance Please see HIPAA
Journal
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant. Other areas of the HIPAA IT requirements frequently overlooked include Business Associate Agreements with SaaS providers and hosting companies who may have access to ePHI via the services they provide. The same applies to software developers who build eHealth apps that will transmit PHI. There has to be a Business Associate Agreement in place with any health care provider distributing the app in order to be compliant with the HIPAA IT requirements. HIPAA Audit ChecklistThe further area of our HIPAA compliance checklist concerns a HIPAA audit checklist. The passage of the HIPAA Enforcement Rule created a viable way in which HHR could monitor HIPAA compliance. It was found that a Covered Entity or Business Associate had made no attempt to comply with HIPAA, HHR could issue fines even if no breach of PHI had occurred. In order to help Covered Entities and Business Associates compile a HIPAA audit checklist, HHR has released audit protocols for the first two rounds of audits. You can find out more about the audit protocols on our dedicated HIPAA Audit Checklist page, and – if you scroll down to the bottom of the page – the latest updates on the audits and details about documentation requests. 2021 HIPAA ComplianceOn January 5, 2020, President Trump signed bill HR 7898 into law, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for healthcare organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage HIPAA-covered entities and their business associates to adopt a common security framework. The update requires the HHS’ Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires the HHS to decrease the extent and length of audits when an entity has achieved industry-standard security best practices. On December 10, 2020, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPR) under the HHS’ Regulatory Sprint to Coordinated Care initiative. The NPR included several proposed modifications to the HIPAA Privacy Rule to strengthen individuals’ access to their own protected health information and to improve the sharing of PHI stored in EHRs between covered healthcare providers and health plans. Comments on the proposed changes are being accepted for 60 days from the date of publication in the federal register and, after consideration of submitted feedback, a final rule will be published. While that may occur in 2021, HIPAA-covered entities and business associates will be given time to implement the changes before the new regulations will be enforced. The update will see the addition of a definition of “electronic health record”, which is “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals.” The proposed changes in the NPR are:
Temporary Changes to HIPAA Compliance Checklists During the COVID-19 PandemicHealthcare organizations are having to deal with a nationwide public health crisis, the likes of which has never been seen. The 2019 Novel Coronavirus (SARS-CoV-2) that causes COVID-19 is forcing healthcare organizations to change normal operating procedures and workflows, reconfigure hospitals to properly segregate patients, open testing centers outside of their usual facilities, work with a host of new providers and vendors, and rapidly expand telehealth services and remote care. This colossal extra burden makes HIPAA compliance even more difficult, yet even during public health emergencies such as the COVID-19 pandemic, health plans, healthcare providers, healthcare clearinghouses, and business associates and their subcontractors must still comply with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules. HIPAA Rules have provisions covering healthcare operations during emergencies such as natural disasters and disease pandemics; however, the current COVID-19 nationwide public health emergency has called for the temporary introduction of unprecedented flexibilities with regards to HIPAA compliance. The HHS’ Office for Civil Rights appreciates that during such difficult times, HIPAA compliance becomes even more of a strain. In order to ensure the flow of essential healthcare information is not impeded by HIPAA regulations, and to help healthcare providers deliver high quality care, OCR has announced that penalties and sanctions for noncompliance with certain provisions of HIPAA Rules will not be imposed on healthcare providers and their business associates for good faith provision of healthcare services during the COVID-19 public health emergency. Notice of Enforcement Discretion Covering Telehealth Remote CommunicationsWith hospitals having limited capacity, and social distancing and self-isolation measures in place, healthcare providers have expanded their telehealth and virtual care capabilities. The Centers for Medicare and Medicaid Services (CMS) has also temporarily expanded telehealth options to all Medicare and Medicaid recipients. To support healthcare providers, OCR announced a Notice of Enforcement Discretion covering telehealth remote communications for the duration of the COVID-19 public health emergency. Some of the platforms used for providing these services may not be fully compliant with HIPAA Rules, but OCR will not be imposing sanctions and penalties for the use of these platforms during the COVID-19 public health emergency. “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients,” explained OCR. That includes the likes of Zoom, Google Hangouts video, Facebook Messenger Chat, and FaceTime; however, HIPAA-compliant platforms should be used if possible. The Notice of Enforcement Discretion DOES NOT apply to public-facing chat and video platforms such as Facebook Live and TikTok. Notice of Enforcement Discretion Covering Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight ActivitiesThe HIPAA Privacy Rule only permits Business Associates of HIPAA Covered Entities to use and disclose PHI for public health and health oversight activities if it is specifically stated that they can do so in their Business Associate Agreement with a HIPAA Covered Entity. On April 2, 2020, OCR issued a Notice of Enforcement Discretion stating sanctions and penalties will not be imposed on Business Associates for good faith disclosures of PHI for public health purposes to the likes of the Centers for Disease Control and Prevention (CDC), CMS, state and local health departments, and state emergency operations centers, who need access to COVID-19 related data, including PHI. In all cases, any use or disclosure must be reported to the Covered Entity within 10 days of the use or disclosure occurring. The minimum necessary standard applies and disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective for which the information is disclosed. The Security Rule is also in effect, so safeguards must be implemented to ensure the confidentiality, integrity, and availability of all PHI transmitted in relation to public health and health oversight activities. Notice of Enforcement Discretion for Community-Based Testing SitesEnforcement discretion will be exercised by OCR and sanctions and penalties will not be imposed on Covered Entities or Business Associates in connection with the good faith participation on the operation of COVID-19 testing sites such as walk-up, drive-through, and mobile sites. The Notice of Enforcement Discretion is retroactive to March 13, 2020 and will last for the duration of the COVID-19 public health emergency. The Notice of Enforcement Discretion covers all activities in testing centers that support the collection of specimens and testing of individuals for COVID-19. Reasonable safeguards must be implemented to protect patient privacy and the security of any PHI used or collected at these sites. The Notice does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions, nor to healthcare providers or business associates that are not performing COVID-19 Community-Based Testing Site activities, even if those activities are performed at the testing sites. Notice of Enforcement Discretion Covering Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination AppointmentsOn January 19, 2021, OCR announced it will be exercising enforcement discretion and will not impose penalties or sanctions on HIPAA covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments. The enforcement discretion does not apply when an entity fails to act in good faith. Examples of bad faith use of WBSAs include, but are not limited to, the use of a WBSA when the terms of service prohibit the use of the WBSA for scheduling healthcare services; if the solution does not incorporate reasonable security safeguards to prevent unauthorized access to ePHI; use of WBSAs to conduct services other than scheduling appointments for COVID-19 vaccinations; use of a WBSA for screening individuals for COVID-19 prior to an in-person healthcare visit. While HIPAA penalties will not be imposed, OCR encourages HIPAA-covered entities and business associates to ensure that reasonable safeguards are implemented to ensure the privacy and security of healthcare data, such as the use of encryption, limiting data input into the systems to the minimum necessary information, and activating all available privacy settings. OCR will be exercising enforcement discretion immediately and will be retroactive to December 11, 2020. Sharing PHI About COVID-19 Patients with First RespondersOCR has confirmed that HIPAA Rules permit the sharing of PHI with first responders such as law enforcement, paramedics, public safety agencies, and others under certain circumstances, without first obtaining a HIPAA authorization from a patient. OCR confirmed that the HIPAA Privacy Rule permits disclosures of PHI for the provision of treatment (e.g. by a skilled nursing facility to medical transport personnel), when required to do so by law (such as to comply with state infectious disease reporting requirements), and to prevent or control disease, injury, or disability. That includes disclosures for public health surveillance, and to public health authorities to help prevent or control the spread of disease. PHI can also be disclosed to first responders who may be at risk of infection and to help prevent or lessen a serious and imminent threat to the health and safety of a person or the public. OCR explained that it is permissible to “disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.” HIPAA also permits disclosures of PHI when responding to a request for PHI by a correctional institution or law enforcement official, that has lawful custody of an inmate or other individual. The disclosures are permitted when PHI is needed to provide healthcare to an individual, to ensure the health and safety of staff and other inmates, to law enforcement on the premises, and to help maintain safety, security, and good order in a correctional institution. The minimum necessary standard applies in all cases and disclosures of PHI should be restricted to the minimum necessary amount to achieve the objective for which the information is disclosed. You can view more detailed information on HIPAA compliance and COVID-19 here. HIPAA Compliance FAQWhat do You Need to Know about HIPAA?The most important thing to know about HIPAA is that ignorance of the HIPAA requirements is no defense against enforcement action. Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to understand what the rules are, how they apply to you, and what you need to do to become HIPAA compliant. What are the Penalties for Breaching HIPAA?The penalties for breaching HIPAA vary according to the nature of the violation, the level of culpability, and the amount of assistance given to HHS during investigations into the breach. The penalties were originally implemented in the HITECH Act 2009 and increase each year to account for inflation. The most recent penalties for breaching HIPAA can be found here. What Steps Should You Take for HIPAA Compliance?The steps you should take for HIPAA compliance depend on the nature of your business and your access to Protected Health Information. The HHS publishes several tools to help Covered Entities determine what steps to take for HIPAA compliance; but, if you are still unsure about the requirements, you should seek professional compliance advice. What is the HIPAA Security Rule?The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes. What is the HIPAA Privacy Rule?The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply. What is the HIPAA Breach Notification Rule?The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission. What is the HIPAA Omnibus Rule?The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance. What is the HIPAA Enforcement Rule?The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violation cases. It is important to note other agencies (for example Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these may have their own procedures. What is the Minimum Necessary Rule?The Minimum Necessary Rule – sometimes called the “Minimum Necessary Standard” or “Minimum Necessary Requirement” – is a key element of the HIPAA Privacy Rule. The Rule stipulates that HIPAA-covered entities make reasonable efforts to ensure access to PHI is limited to the minimum necessary to accomplish the intended purpose of a particular use, disclosure, or request – and nothing more. What are the HIPAA Retention Requirements?The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years. You will find examples of what types of documentation should be retained in this article. Are there Rules about Sharing PHI on Social Media?The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific HIPAA social media rules. However, except for permitted uses, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA, and sharing PHI on social media would come into this category. What is the Difference between Patient Consent and Patient Authorization in HIPAA?Although not a requirement of the HIPAA Privacy Rule, Covered Entities may wish to obtain a patient´s consent before – for example – providing treatment. By contrast, a Covered Entity has to obtain a patient´s authorization via a HIPAA Release Form before disclosing personal identifiable information other than for a permitted use. Are Pagers HIPAA-Compliant Communication Tools?This depends on pagers are being used for and what capabilities they have. If a pager is not being used to communicate ePHI, HIPAA compliance is not an issue. If a pager is being used to communicate ePHI, it has to have capabilities such as user authentication, remote wipe, and automatic log-off. You can find out more about pagers and HIPAA compliance in this article. How Does the EU´s General Data Protection Regulation Affect HIPAA Compliance?While the EU´s General Data Protection Regulation (GDPR) doesn´t affect HIPAA compliance in any way, it does introduce a further set of regulations for Covered Entities and Business Associates that collect, process, share, or store data relating to EU citizens – for example if an EU citizen receives medical treatment in the USA. This article provides more information about GDPR for US companies. What certification focuses on information Systems Audit Control and security Professionals?CISA—Certified Information Systems Auditor
The CISA certification is world-renowned as the standard of achievement for those who audit, control, monitor and assess an organization's information technology and business systems.
Which of the following is a certification offered by the International information Systems security certification Consortium ISC 2?The most notable certification offered by (ISC)² is the Certified Information Systems Security Professional (CISSP).
Which of the following certifications is the best known and is the best cybersecurity certifications?1. Certified Information Systems Security Professional (CISSP) The CISSP certification from the cybersecurity professional organization (ISC)² ranks among the most sought-after credentials in the industry.
How many domains of knowledge are covered by the Certified Information Systems Security Professional Cissp exam?Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience.
|