The Health Insurance Portability and Accountability Act (HIPAA) gained increasing enforcement with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) act in February of 2009. The Department of Health and Human Services (HHS) Office of Civil Rights Division (OCR) trains the State Attorneys General on how to bring lawsuits against organizations that breach the acts. As technology pushes innovation and growth in the healthcare industry, securing the handling of sensitive data is crucial to the success of healthcare organizations.
HIPAA versus HITECH
In 1996, HIPAA was enacted. HIPAA requires protected health information (PHI) of patients to be protected by “covered entities.” Covered entities include: healthcare providers (including hospitals, nursing homes, clinics, pharmacies, doctors, psychologists, dentists, chiropractors), health plans (including health insurance companies, HMOs, company health plans, Medicare, Medicaid, military/veteran healthcare programs) and healthcare clearinghouses (entities that process nonstandard health information they receive from another entity into a standard, such as standard electronic format or data content, or vice versa). HIPAA also extends to “business associates” (including third-party administrators, pharmacy benefit managers for health plans, claims processing/billing/transcription companies, persons performing legal, accounting and administrative work).
In 2009, the American Recovery and Reinvestment Act (ARRA) was enacted. The ARRA includes a section referred to as HITECH. HITECH promotes the adoption of electronic health records (EHRs) to improve efficiency and lower healthcare costs, expands on required concepts for information security and defines breach violation notification and enforcement actions.
Per HITECH, non-compliance with the HIPAA can now be fined up to $1,500,000 per calendar year, per each violation. In addition, civil monetary penalties or monetary settlements may be awarded to individuals who have been affected by such data breaches. Periodically the OCR issues enforcement action reports with steep fines for violations.
Our IT Compliance and IT Security expertise assist you in determining if your entity meets the HIPAA/HITECH requirements and perform various of the mandatory services such as:
- HIPAA Security, Breach and Privacy Rules Gap Analysis and Trainings
- HIPAA Risk Analysis
HIPAA Risk Analysis
Elevate has conducted many Risk Analysis (also known as Risk Assessments) to assess information security risks and ensure HIPAA Security Rule Compliance.
Hence, we follow the guidance documents published by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) entitled,” Guidance on Risk Analysis Requirements under the HIPAA Security Rule” as it describes the nine (9) essential elements that a Risk Analysis must incorporate, regardless of the risk analysis methodology employed. It must also correlate assessments with all applicable State/Federal Security rules and regulations such as the requirements of the HIPAA Security Risk Analysis as defined in the HIPAA Security Final Rule 45 CFR 164.308(a)(1)(ii)(A).
Additionally, HIPAA Risk Analysis are conducted in accordance with the recommended NIST 800-30 standard recommended by the OCR and the overall guidance of Implementation of HIPAA Security Rule NIST 800-66 Rev 1 Standard.
The 9 elements for the risk analysis include:
- Scope of the Analysis – all ePHI that the organization creates, receives, maintains, or transmits must be included in the risk analysis.
- Data Collection – Methods for data collection of information assets with ePHI.
Identify and Document Potential Threats and Vulnerabilities Critical Analysis – Develop a critical analysis of the typical vulnerability and likelihood of threats.
Assess Current Security Measures.
Determine the Likelihood of Threat Occurrence.
Determine the Potential Impact of Threat Occurrence.
Establish a Threat Matrix.
Determine the Level of Risk.
- Finalize Documentation and provide meaningful recommendations to appropriately mitigate the risks.
Our consultants and thought leaders have many years of experience working in the healthcare, cloud and IT industries to work effectively with our clients in achieve their risk management and compliance objectives.