04-11-19 | References
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) which is essentially your medical record.
In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability.
HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).
There are three things that HIPAA requires:
HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.
HITECH was intended to fund and define sharing rules for Electronic Medical Records (EMR) to further their use in hopes of curtailing growing health care costs.
The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.
The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:
Paragraph 164.308(a)(1)(i) Standard: Security Management Practices—Implement policies and procedures to prevent, detect, contain, and correct security violations.
We are then required to do precisely what it says—prevent, detect, contain and correct security violations. At Otava, we have such a written policy and in that documented policy we reference this paragraph number. Note that these rules say nothing about how you achieve these objectives—that is what we decide and document in our policies.
What do the rules say Otava must do (and not do)?
They do not specify any specific technology platform or design, just that you must secure the data. There are industry best practices that they assume you would use or they would likely consider you negligent.
We do NOT access client data. We never open a file on a client’s server or look in their database. Our backup and restore process takes a file directly from the server and during restore the file is written directly back to the server. Our operations staff does not have access to the file.
Everyone in the company is trained in the policies that support our HIPAA compliance. This training was added to the annual security training we already conduct.
Otava meets all of the HIPAA requirements, including 164.308, 164.310 and 164.312.
The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.
This is serious stuff.
The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”. Within each category, there are 2 tiers.
Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.
Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
Otava passed the HIPAA audit with 100% compliance against the latest OCR HIPAA Audit Protocol. Our HIPAA hosting and HIPAA compliant data centers provide physical, logical, network and infrastructure security you need to meet HIPAA standards.
Yes, an NDA (non-disclosure agreement) is required.
Neither HIPAA nor HITECH call for specific technical measures to assure data is available, accurate and secure. However, we recommend many of the same procedures and technologies we deploy for ourselves and for which we have had a HIPAA audit to clients who are going to be audited/required to pass a HIPAA audit. This includes:
No. The client still has to go through an audit to check their own processes and procedures.
We sign a BAA and our policies and procedures have been audited for HIPAA compliance. If you follow our rules and sign our BAA, you should be as compliant as you were before. Any competitor who is not HIPAA compliant cannot make that statement.
Clients reduce their auditing costs because we have a BAA that their auditor can review rather than having to audit us as well.
No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see the Federal Information Processing Standards: Advanced Encryption Standard (AES)). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.
Encryption requires decryption prior to use which is computationally expensive, so you can’t just encrypt everything on the server. The best tools and methods depend on the application, operating system and usage patterns.
There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.
A BA is someone who a CE uses for services and who needs access to the PHI of the CE’s patients to perform some level of service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.
Since the HIPAA omnibus rule changes have been implemented, cloud service providers and other hosting providers are now considered BAs.
It’s becoming accepted in our industry, even though we have no need to access PHI, the healthcare market is demanding that hosting and managed service providers sign a Business Associates Agreement.
We are a BA because the statue defines us as one. It is our attorney’s belief that we can make the case that we are not one because we do not, in the normal course of operation, need any access to PHI to perform any of our contracted work.
So, we’re a BA to a CE. For example, a client of ours is a hospital, so they are a CE. They are required to have a specific agreement with us called a Business Associates Agreement (BAA) because we possibly have access or affect the availability of the PHI on their servers in our data center.
The Business Associates Agreement is a 3-page document we have that clients with PHI in our data center will need to sign. It gives us authority to access information on their servers (even though we don’t need it) and codifies our commitment to follow the rules.
Whenever a client is storing, processing or transmitting protected health information (PHI) from Otava’s data centers.
No, no NDA (non-disclosure agreement) is required.
Still have questions? Contact us us to learn more.
