HIPAA Security Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most Covered Entities (CEs) had two full years – until April 21, 2005 – to comply with these standards. Many CEs, including providers, are still not in compliance. As a result, the 2009 HITECH Act has increased penalties for non-compliance with the HIPAA rule. The recent HIPAA Omnibus Final Rule has expanded the notification requirements and penalties that providers are liable for related to PHI (Personal Health Information) breaches and expanded HIPAA coverage so that it also applies to Business Associates (BAs) as well.
Covered entities (CEs) are defined in the HIPAA rules as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. Hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
Health Plan – With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many types of organizations and government programs as health plans.
Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “valueadded” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
Health Care Provider – A provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health Care – Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
HITECH Act of 2009
The HITECH Act of 2009 anticipated the expansion in the exchange of electronic protected health information (ePHI) between Doctor’s, Hospital’s and other entities that store ePHI for the sole reason of cutting down on the cost of healthcare by sharing. HITECH Act of 2009 expanded the scope of privacy and security protections available under HIPAA security rule; it increased the potential legal liability for non-compliance; and it provides for more stringent enforcement. See Full HITECH Act here
Technology has allowed for great advances in productivity and business systems but when working with, storing or transporting people’s personal information, safeguards must be in place to prevent the theft, unintended exposure and loss of personal information of clients and/or patients. The law requires that medical practices, business and organizations that work with patients personal information have safe guards in place to help protect people’s personal information.
What is the HIPAA Security Rule intended to protect?
HIPAA Security Rule applies to protected patient health information in electronic formats. Patient information that is transmitted by electronic media or maintained on electronic media. HIPAA compliance data storage rules are meant to do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the “Covered Entity” creates, receives, maintains, or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of information that are not permitted or required under subpart E of this part
- Ensure HIPAA compliance with this subpart by its workforce
What does the HIPAA Security Rule means to you as a Covered Entity (CE):
- It’s not optional: All CEs, including medical practices, must securely back up “retrievable exact copies of electronic protected health information”.
- Your data must be recoverable: You must be able to fully “restore any loss of data” .
- You must get your data offsite: As required by the HIPAA Security Final Rule . Your data must have a secure offsite storage
- You must back up your data frequently: As required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today’s real-time transnational world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event.
- Safeguards must continue in recovery mode: The same set of security requirements that applies under normal business operations must also apply during emergency mode.
- Encrypt or Destroy: HITECH says to encrypt or destroy data at rest to secure it. HIPAA Security Rule says that data being transmitted must be encrypted. Many CEs and BAs fail in this area because tape – or disk-based backups are moved around freely, unencrypted.
- You must have written procedures related to your data backup and recovery plan: Policies and procedures and documentation are a huge part of the HIPAA Security Final Rule.
- You must test your recovery: Backup is useless if your recovery fails, therefore the law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.
- Non-compliance penalties are severe: Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
Unfortunately, many practices that are CE’s are not meeting these HIPAA Security Rule government requirements and that can be a huge problem in terms of loss and compromised data, that can lead to large fines and possible lawsuits. While many practices have been meeting these requirements with manual methods, security auditors will be more focused on discovering flaws in manual backup processes that put you at risk for protecting patient data and being able fully restore it you ever needed to.
It is necessary to implement a more secure and foolproof solution if you are NOT in compliance with these government rules.
How do VBS cloud-based data backup solutions help your practice?
- Allows practices to help meet strict Meaningful Use Security Audit measures and HIPPA Security Final Rule requirements
- Ensures your practice can continue operations if there is a local disaster
- Frees up your administrative and IT staff from making, checking transporting and storing tape backups