Important steps for meeting HIPAA compliance.As most Los Angeles Los Angeles (lôs ăn`jələs, lŏs, ăn`jəlēz'), city (1990 pop. 3,485,398), seat of Los Angeles co., S Calif.; inc. 1850. employers were made aware last April, the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1966 (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) regulation--designed to protect employee protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the (called PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. )--imposes privacy requirements on covered entities, i.e., your health plans and, by extension, your healthcare business associates and other organization such as your healthcare insurance carriers. Now, compliance with the final HIPAA regulation--electronic data security--looms ahead on April 20th of this year and all companies with annual total healthcare spending of $5 million and over must comply. In Los Angeles alone, that mean close to 300 businesses will be effected. Companies below that size have a grace period of one additional year. This final HIPAA regulation covers the security of electronic data and applies to both storage and transmission of "protected health information" by the covered entity or health plan. The final security rule consists of 18 "standards" composed of required 42 "implementation specifications". While the privacy standards essentially say you cannot use or disclose PHI except as authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: by the individual or HHS HHS Department of Health and Human Services. regulations, the HIPAA data security standards go one step further. The new electronic data standards say that the plan must adopt security safeguards that prevent the unauthorized electronic access (e.g., hackers breaking into your health plan's claims records or uncontrolled viruses effecting emails inappropriately with inadequate password protection. The standards fall into three broad categories. Administrative safeguards such as the administrative actions, policies, and procedures used to manage the security process. Physical safeguards are those physical methods, procedures, and policies intend to protect the electronic protected health information from unauthorized access and natural and environmental hazards 'Environmental hazard' is a generic term for any situation or state of events which poses a threat to the surrounding environment. This term incorporates topics like pollution and Natural Hazards such as storms and earthquakes. . Technical safeguards include the technology used to protect the electronic protected health information such as password protections. Some of the most important key requirements that will impact local employers are: * Conducting a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. Begin by taking the time to identify exactly what "ePHI" you actually 'touch'. The new regulation includes a definition of electronic media and electronic transmission. The "litmus test litmus test n. A test for chemical acidity or basicity using litmus paper. " to be applied in determining if a transmission is "electronic" is "did the data exist in electronic form before the transmission?" hence, faxes are not electronic transmissions under HIPAA although they would be subject to the privacy requirements. * Assigning as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. a Security Official. A security official responsible for the development and implementation of the required policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental must be identified. This can be the same as your Privacy Official but will have additional duties. * Business Associate Agreements. Employers must receive assurance from their business associates that they will safeguard protected health information they use electronic protected healthcare information on behalf of the employer. If you did not create these Agreements for HIPAA privacy standards, you definitely need to do them now. * Plan documents. Employers that have access to protected health information in electronic form must amend their plan documents to include provisions relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc security compliance. * "At home" functions must also comply with this regulation. An employer's responsibility to safeguard electronic protected health information extends to your entire workforce regardless of location so physical security and hardware configurations including firewalls, encryption software Encryption software is software whose main task is encryption and decryption of data, usually in the form of files on hard drives and removable media, email messages, or in the form of packets sent over computer networks. and such need to be present if someone is working outside the office or at home and has access to ePHI. What You Need to Do Now Planning is critical. Now is the time for employers with health plans over $5 million in revenue to bring plans into compliance with the Data Security regulation by conducting requisite risk analyses and document reviews, recommending corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or , and, if requested or needed, assisting IT and data security, personnel in creating or modifying existing plans, policies, and procedures. There are a few key steps that must be taken--before April 20, 2005 Step 1--Assessment: you need to begin by conducting an analysis of the data security risks that need to be addressed. At the point, you also need to identify a Security Official. Step 2--Inventory: Next, you must inventory and analyze existing policies and procedures, merging the results of the assessment above with the HIPAA requirements to determine corrective actions necessary Step 3--Remediation: After your inventory, you need to apply any necessary corrections to the processes and procedures, filling in any gaps and ensuring that they bring the plans into compliance. All of your Some of the remediation efforts may be interleaved with the inventory/review phase but in any event must be completed by April 20, 2005. Step 4--Training: A key requirement of the data security regulation is the requirement for ongoing training of staff. Step 5--Ongoing Review: The data security regulation requires that periodic reviews be made of the compliance status of plans. A Final Word The most important thing is to conduct your data security assessment as early as possible in the event remediation such as new hardware or software to adequately protect PHI can be purchased and installed prior to the deadline in April. This article was provided by AON Consulting. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion