What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (commonly known as HIPAA) was enacted in 1996. Thru this act, the Secretary of the U.S. Department of Health and Human Services (HHS) was empowered to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published two sets of rules commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or what is known as the Standards for Privacy of Individually Identifiable Health Information, establishes a standard for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (or the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations must put in place to secure an individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Ensure Compliance While Detecting and Remediating Advanced Attacks At The Same Time
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to manage health records, pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Which Applications are Involved in Becoming HIPAA Compliant?
Today, healthcare providers are using numerous clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), as well as radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks inherent to a broader attack surface.
The goal of the Security Rule and HIPAA Compliance in general is to protect the privacy of an individuals’ health care information while also allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
How Is HIPAA Compliance Enforced?
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Compliance as it pertains to the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.
OCR may only take action on certain complaints. See What OCR Considers During Intake and Review of a Complaint for a description of the types of cases in which OCR cannot take an enforcement action.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.
OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.
If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.
How can Promisec help with HIPAA Compliance?
Adding to the functionality of bespoke HIPAA compliance software, Promisec can help customers implement controls and policies for the HIPAA standard as outlined below:
|HIPAA Req||Description||Promisec Endpoint Manager||Other EDR Solutions||SIEM|
Promisec support for HIPAA Requirement 164.308
Promisec support for HIPAA requirement 164.310
Promisec support for HIPAA requirement 164.312
ADVANCED USE CASE SUPPORT
A UNIVERSITY HEALTH SCIENCES CENTER