HIPAA Gap Analysis or a HIPAA Risk Analysis?

Posted on Oct 9, 2019 in HIPAA

HIPAA Gap Analysis

What is the difference between a HIPAA Gap Analysis and a HIPAA Risk Analysis?  Many organizations use these interchangeably, however, they are not correct in doing so.  Don’t make the same mistake.

Office of Civil Rights Requirements

The Office for Civil Rights clearly spelled out the steps and requirements for a HIPAA Security Risk Analysis.  As a result, it requires covered entities to conduct an accurate and thorough assessment. It must consider potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization.  Furthermore, entities must consider the potential risks, threats and vulnerabilities to all of the covered entities ePHI.  This includes all ePHI which is created received, maintained or transmitted, including the source or location of the ePHI

Understanding a HIPAA Gap Analysis

The HIPAA Rule does not require a HIPAA Gap Analysis.  The Gap Analysis is usually a limited evaluation of a covered entity or business associate’s organization to reveal whether there are certain policies, controls or safeguards required by the HIPAA.  As a result, it is important rules are in place and implemented. The HIPAA Gap analysis should begin with a review of all policies, procedures, processes, practices and systems. It must investigate all facilities that relate to privacy, uses and disclosures of PHI.

Gap Analysis Insufficient for HIPAA Rule

A Gap Analysis  does not satisfy the Security Risk Analysis requirement. It does not demonstrate an accurate and thorough analysis. In effect, it must consider all risks, threats  and vulnerabilities to all of the ePHI an entity creates, receives, maintains or transmits.  Consequently, the gap analysis is not equivalent to the risk analysis as it does not satisfy the rule as specified  by 45 C.F.R. §164.308(a)(ii)(A).  It is important to note that OCR expects a covered entity to document and implement all of the necessary regulations of the HIPAA Rule to obtain a Compliant rating.

Therefore, it is important to identify your covered entity’s needs and determine whether you require a Gap Analysis or Risk Analysis.  Most important, assure that the vendor you engage is qualified to perform the specific type of analysis that you need. 

Read More

Technical Safeguards Protect PHI

Posted on Jun 19, 2019 in HIPAA

Technical Safeguards
Technical Safeguards Protect PHI

Why Technical Safeguards?

Technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. They are key elements that help to maintain the safety of ePHI as the internet changes.  Consequently technical safeguards are important due to technology advancements in the health care industry. The challenge of healthcare organizations is that of protecting electronic protected health information (EPHI).   Most importantly, this includes items such as electronic health records, from various internal and external risks.

Comply with Technical Safeguards

The Security Rule, requires for a covered entity to comply with the Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  Consequently, this rule is based on several fundamental concepts.  These are flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified.

Implementing “The Security Rule”

The Rule allows the use of security measures.  Consequently, these allows it to reasonably and appropriately  implement the standards and implementation specifications.  Because of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  There are a variety of  measures which can assist an organization to meet these standards.  A more detailed description can be found at the HIPAA Security Series published by HHS.gov.

The Importance of “The Security Rule”

Technical safeguards are important due to technology advancements.  The take away is that Technical Safeguards protect PHI.  Most importantly covered entities and business associates who deal with electronic PHI must review their use of Technical Safeguards to be fully in compliance.  

Feel free to contact us for more guidance on this important topic.

Read More

New HIPAA Penalties from HHS

Posted on May 13, 2019 in Billing, HIPAA

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    Of interest, HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently, HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

Read about Data Breaches

Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In mostcases the amount of penalty will be significantly less than what we have experienced in the past.

First, for a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

Secondly, for a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.

Read More

Encryption of ePHI as a Safeguard

Posted on Feb 27, 2019 in HIPAA, Uncategorized

Encrypting cPHI may help your program
Encryption for ePHI

HIPAA Security Rule

The decision to use encryption of ePHI as a safeguard depends on several factors.  The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest.  The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI. 

They defined the encryption standard as an addressable requirement and can be confusing.  Consequently, if it is a reasonable and appropriate safeguard for the protection of ePHI it should be implemented. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI.  Consequently, an organization should consider the use of this and implement it in its management of ePHI.  Eventually, the entity must document this in the plan.

No Specific Requirements

When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Alternative to Encryption

A health care provider may determine that encryption isn’t reasonable and appropriate based on its security risk assessment.   They may then present their alternative to protect ePHI.  They may also decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.

For More Information

Read More

Permissible Disclosures to Law Enforcement

Posted on Jan 23, 2019 in HIPAA

Permissible Disclosures to Law Enforcement

Disclosures to Law Enforcement

Sometimes it is hard to determine what are the permissible disclosures to law enforcement. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists .

When to Respond

The HIPAA Rule permits disclosures when required by law. This may be necessary to respond to subpoena’s and court orders with specific requirements.  In addition this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease. The law requires it in response to an enforcement official’s request for information about a victim or suspected victim of a crime.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what are the permissible disclosures to law enforcement.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic and HIPAA training for you and your company.  Follow us on Facebook and Twitter.

Read More

Permitted Uses and Disclosures of PHI

Posted on Nov 5, 2018 in HIPAA

Permitted Uses and Disclosures of PHI
Sharing PHI

Sharing Protected Health Information

Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector.  By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules.  All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines.   The Office for Civil Rights permits the use and disclosure of PHI for treatment, payment and health care operations.

Sharing with Health Care Providers

Keep in mind that HHS wrote HIPAA to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This has expanded the “permitted uses and disclosures of PHI.”  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.  This information must be shared with all employees of the organization.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI.  One must also realize that there are other ways that one may safely share PHI without having to obtain permission.  An example would be if there is an order from a court or for law enforcement purposes.

Contact us for more information.

Read More