Healthcare News: Under The New HIPAA Rule, What is ePHI (electronic protected health information)?

Published on June 2016 | Categories: Types, Research | Downloads: 59 | Comments: 0 | Views: 308
of 5
Download PDF   Embed   Report

For Hospitals: the HIPAA Rule(s) relating to ePHI (electronic protected health information) just got broader, and the penalties are are a lot stronger

Comments

Content

Healthcare Information: Under The HIPAA Rule, What is ePHI (electronic
protected health information)? By: Dennis Stewart, Streamline Savings ___________________________________________________________________________

Hospitals and other healthcare related entities that are subject to HIPAA regulations need to adhere to additional regulations because of technology. According to the US Department of Health and Human Services (HHS), electronic protected health information (ePHI) is defined very broadly, and it is any protected health information (PHI) that is created, stored, transmitted, or received electronically. All protected health information is subject to federal Health Insurance Portability and Accountability Act (HIPAA) regulation, which refers to any information that identifies an individual (usually a patient) and relates to at least one of the following:    The individual's past, present, or future physical or mental health The provision of health care to the individual Past, present, or future payment for health care

Information that can identify an individual includes either the individual's name or any other information that could enable someone to determine the individual's identity. Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:                   Name Address All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89) Telephone numbers FAX number Email address Social Security number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Device identifiers or serial numbers Web URL IP address Finger or voice prints Photographic images Any other characteristic that could uniquely identify the individual

Healthcare Information: Under The HIPAA Rule, What is ePHI (electronic
protected health information)? By: Dennis Stewart, Streamline Savings ___________________________________________________________________________

In research, it is often sufficient to make the information more general (instead of being removed altogether) for de-identification (e.g., by replacing the birth date with an age range). Electronic protected health information (ePHI) includes any medium used to store, transmit, or receive PHI electronically. The following and any future technologies used for accessing, transmitting, or receiving PHI electronically are covered by the HIPAA Security Rule:  Media containing data at rest (storage) o o o o o Personal computers with their internal hard drives used at work, home, or traveling External portable hard drives, including iPods and similar devices Magnetic tape Removable storage devices, such as USB memory sticks, CDs, DVDs, and floppy disks PDAs and smartphones



Data in transit, via wireless, Ethernet, modem, DSL, or cable network connections o o Email File transfer

ENFORCEMENT PENALTIES: Hospitals and other health care facilities need to consider recent enforcement penalties for HIPAA violations. HHS is very serious about failing to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices, and implementing security measures sufficient to ensure the confidentiality of ePHI. ALL health care providers and other HIPAA-covered entities need to adhere to the ePHI standards in light of recent settlements as the latest signal of the scrutiny that HHS has in connection with health care providers and other covered entities. HHS is looking at all reported failures to adequately implement and administer appropriate HIPAA compliance practices, including ePHI. Under the New Rule just adopted, both the scope of the Rule, and the enforcement powers of HHS has been expanded: http://www.scribd.com/doc/120966374/HHS-Issues-New-HIPAA-Rule-Which-Protects-Patient-PrivacySecures-Health-Information

Healthcare Information: Under The HIPAA Rule, What is ePHI (electronic
protected health information)? By: Dennis Stewart, Streamline Savings ___________________________________________________________________________

Enforcement Examples:
Recently a group in Massachusetts paid HHS $1.5 million to settle potential HIPAA violations which included ePHI. The Resolution Agreement settled charges that resulted from an OCR investigation commenced in response to a HIPAA breach report confirming the theft of an unencrypted personal laptop containing the ePHI of the group’s patients and research subjects. The laptop information included patient prescriptions and clinical information. Included in the resolution was an agreement to take a series of corrective actions to confirm compliance of ePHI under the Security Rule. In June, 2012,The Alaska Department of Health and Social Services (DHSS) agreed to pay the HHS $1,700,000 to settle similar HIPAA violations. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. OCR found that DHSS did not have adequate policies and procedures in place to safeguard ePHI, and DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

Blue Cross Blue Shield of Tennessee (BCBST) recently paid $1,500,000 to resolve HIPAA violations charges. “The case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Healthcare Information: Under The HIPAA Rule, What is ePHI (electronic
protected health information)? By: Dennis Stewart, Streamline Savings ___________________________________________________________________________

What exactly is required? The bottom line is that HHS is going to require hospitals and all other covered entities to assess the risk of the confidentiality of ePHI maintained on portable devices, and implement security measures sufficient to ensure the confidentiality of all ePHI that is created, maintained, and transmitted using these portable devices. This will require adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and responses. Larger organizations need to pay particular attention because of the number of possible or potential violators. This will require annual reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and possibly retaining an independent monitor to conduct assessments. The New Rule has expanded both the number of entities, and the Enforcement Power of HHS: http://www.scribd.com/doc/120966374/HHS-Issues-New-HIPAA-Rule-Which-ProtectsPatient-Privacy-Secures-Health-Information

NOTE: The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, applies only to protected health information in electronic form and requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information. Like the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities. Some of the provisions are as follows: § 164.302 Applicability. A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information of a covered entity. § 164.306 Security standards: General rules. (a) General requirements. Covered entities and business associates must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with §164.316(b)(2)(iii).

Healthcare Information: Under The HIPAA Rule, What is ePHI (electronic
protected health information)? By: Dennis Stewart, Streamline Savings ___________________________________________________________________________
§ 164.308 Administrative safeguards. (a) A covered entity or business associate must, in accordance with § 164.306: (1) * * * (ii) * * * (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. (C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. (b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. For information on The New HIPAA Rule, Please Visit: http://www.scribd.com/doc/120966374/HHS-Issues-New-HIPAA-Rule-Which-Protects-Patient-PrivacySecures-Health-Information ____________________________________________________________________________________ The entire new Rule may be viewed at: https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf ____________________________________________________________________________________ HHS is serious about HIPAA / ePHI violations: http://www.scribd.com/doc/108466453/Hospital-CEO-News-HHS-is-Serious-About-Electronic-ProtectedHealth-Information-ePHI-HIPAA-VIOLATIONS By: Dennis Stewart, Streamline Savings, LLC Please direct comments or questions to: [email protected] www.linkedin.com/in/dennisstewart1

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close