White paper

The Ultimate HIPAA Primer

2

The Ultimate HIPAA Primer

The Ultimate HIPAA Primer

The Health Insurance Portability and Accountability Act of 1996 can be confusing and complex. And now, with the U.S. Health and Human Services Department’s Office of Civil Rights (HHS OCR) finalizing its permanent HIPAA Audit Program – set to begin in the fall – it is a good time for organizations to quickly study up on what complying with the mandate means.

Before we get to the crash course, it is important to remember that we are dealing with evolving enforcement. HIPAA was modified by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, and more recently by the HIPAA Omnibus Rule in 2013.

As can be seen in the name, the intent of the original act was to improve health care outcomes and achieve efficiencies by enhancing the “portability” of patient information held by insurance companies. But as technology has played an increasing role in the implementation process, “accountability” for that information has become a much more important aspect. As a result, the security and privacy of patient data now has taken center stage, whereas it was only dimly considered in 1996.

The HHS OCR has performed an initial round of compliance audits already and has made it clear that broader audits are coming this fall, so you need to understand what steps health care entities – and their associates – should take by the time a notification shows up in the mail.

The Ultimate HIPAA Primer

3

To do so, let’s turn to the age-old exercise used to compile news stories:

The five Ws and one H.

WHO needs to be compliant?In the broadest terms, anybody who comes into contact with protected health information (PHI) must comply with HIPAA. This obviously includes covered entities, which are those organizations that collect patient information directly in the course of delivering health care. But it also includes business associates, described as any outside vendor that a covered entity shares patient information with, such as a billing provider. Business associates cover a vast range of companies, including many that don’t think of themselves as being in health care at all.

Anytime a covered entity collects, stores, processes, or transmits protected health information, it needs to be aware of the requirements that HIPAA places on it. And anytime it provides that information to an outside business associate, it must ensure that due consideration is taken.

WHAT constitutes PHI?As defined by HIPAA, the “List of Individually Identifiable Health Information” includes names, locations, ages, telephone numbers, email and home addresses, Social Security numbers, driver’s license numbers, medical record numbers, plus much more.

It’s quite a list, and probably isn’t exhaustive enough. A good way to think of PHI is any data that is related to the delivery of health care services and can be tied to an individual patient. And because protecting that data places a burden on the business that collects the information, many companies have a reflexive mentality to collect and save everything.

But this mindset needs to be reconsidered. Is there a specific legal mandate that requires retention of the individualized data? Will collecting any particular data element enhance the outcome of specific health care delivery? Will retaining it improve the ability of the company to perform more effectively in future interactions with the patient? If careful consideration doesn’t generate a clear “yes” to any of these questions, the best interest of the company is probably not to collect the information in the first place. Remember: If you don’t have it, you don’t have to protect it.

WHEN will a company need to comply with HIPAA?Of course, the correct answer is since 1996, when HIPAA was enacted. But more nuanced is the question of when an organization will be expected to validate its compliance. As previously mentioned, the HHS OCR has publicly expressed its intent to expand its audit program (see our March 4 blog post: “How to Prepare for the Incoming Wave of HIPAA Audits” for more details), so that letter could arrive at any time. And it is worth noting that this will be an audit, conducted by HHS OCR personnel, and not an investigation – at least not at first. A company will be expected to provide evidence to support any assertion they wish to make, and that evidence must be thorough and be able to withstand scrutiny. Simply saying, “Yeah, we do that,” will not be enough.

The Ultimate HIPAA Primer

Copyright © 2014 Trustwave Holdings, Inc.

WHERE do you need to protect health information?The easy answer is everywhere. But that misses the point of the compliance process. A company needs to perform a thorough analysis of its current business activities to see where and how PHI is collected. That goes without saying. But an investigation into historical practices must be conducted as well, and confirmation that business units and even individual employees have been conforming to policy will be expected. Although not explicitly mandated by HIPAA, a well-documented and thorough automated data discovery process gives an organization a defensible position that it has taken reasonable steps to cover all relevant data stores.

WHY do you need to validate compliance?Based on the number of health care-related data breaches that we see in the headlines, it’s clear that the threat of fines and loss of public reputation has not prevented these incidents. So while placing an organization that has not been breached through the effort of supporting a compliance audit may seem unfair, the belief is that being prepared for such an audit at any time will reduce the risk that the entity will suffer a loss of data.

Does being compliant during an audit mean that your company can’t be compromised? Of course not. There is no such thing as perfect security. But taking a reasonable and consistent approach to data collection and security can significantly reduce the risk of a breach, as well as minimize the severity of any breach that may occur.

HOW does your organization need to protect PHI?This is a very broad topic, and a complete answer that would cover every possible circumstance likely will never exist. But there are ways to vastly improve one’s security stance. Is the information stored in an electronic form? Then programmatic encryption for newly collected data is a good start, with data discovery that supports either opportunistic encryption or secure deletion for historical data being the necessary next phase. Does the electronic data merely pass through the organization, never being stored? Then protection of your network’s perimeter and enforcement of secure transmission practices will be needed. How about paper records? Voice recordings? Emergencies? It might seem like the list could go on forever, but that really isn’t true. By formalizing an organization’s business practices through documented policies that are created with a focus on data security, you can achieve compliance with HIPAA and deliver the patient experience that your customers expect and deserve.

LEARN MORE AT TRuSTWAVE.COM