HIPAA

Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), directed by the US Department of Health and Human Services, mandate that patients' medical records and other healthcare information should be protected against breaches and unauthorized. Organizations that deal with protected health information (PHI) must have a physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. The Health Information Technology for Economic and Clinical Health (HITECH) Act has illuminated and enhanced HIPAA prerequisites, especially by raising the financial penalties in cases of non-compliance.

Who must be HIPAA compliant?
Any healthcare organization that stores, processes, or transmits personal health information is considered a covered entity and is required to adhere to the Privacy and Security Rules of the HIPAA. This includes:

  1. Covered healthcare providers (includes hospitals, clinics, regional health services, and individual medical practitioners) that conduct certain transactions in electronic form.
  2. Healthcare clearinghouses (such as, entities that help healthcare providers and health plans standardize their information).
  3. Health plans (includes insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, and employers, schools or universities that collect, store or transmit protected health information to enroll employees or students in health plans).
  4. Any covered business partners (including private sector merchants and third-party administrators) must also adhere to the rules.

Who is responsible for HIPAA compliance?
The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are responsible for controlling, enforcing, and approving these standards and may conduct compliance investigations and audits.

HIPAA PRIVACY & SECURITY RULES
Covered entities and business partners are required to comply with the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule characterizes and constrains the conditions in which an individual’s traceable health data might be utilized or unveiled by covered entities. This data consists of statistic data such as name, address, birth date, Social Security Number, and information that refers to.

  1. The individual's past, present, or future physical or psychological health or condition.
  2. The services of healthcare to the individual.
  3. The past, present, or future payment for the services of healthcare to the individual.

The Privacy Rule calls this data Protected Health Information (PHI).

However, some data are excluded from PHI, such as employment records that a covered entity maintains in its ability as an employer, instruction records, and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

However, some data are excluded from PHI, such as employment records that a covered entity maintains in its ability as an employer, instruction records, and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

The Privacy Rule is NOT specific to electronic data and applies equally to written records, telephone conversations, and more. It mandates that organizations may only release PHI as explicitly allowed by the Privacy Rule or with the earlier written consent of the individual who is the subject of the records. The Privacy Rule also contains various notifications and regulatory prerequisites intended to ensure proper records are maintained, and that individuals are aware of their rights under HIPAA.

The Security Rule covers the protection of the confidentiality, integrity, and accessibility of PHI in electronic form (commonly known as ePHI). It recommends various required policies, techniques, and reporting components that must be set up for all information systems that process, store, and transmit ePHI inside and between covered entities.

The Security Rule contains multiple proposed standards (or requirements) and usage specifications that fall into three categories.

1. Administrative Safeguards (§164.308):

Administrative safeguards are activities, policies, and methodology that manage the selection development, execution, and maintenance of security measures to protect ePHI and to manage the conduct of the workforce in relation to the protection of that data. This rule covers the following requirements.
  1. Security Management Process: Perform a risk analysis to identify where PHI is used to know all the ways HIPAA can be violated so as to reduce the sanctions for employees who fail to comply.
  2. Workforce Security: Manage employees who work with PHI and ensure PHI isn’t accessed by the parent, partner, or subcontracting organizations not authorized.
  3. Security Awareness and Training: Defend and report malicious software and monitor logins and provide regular training to employees with access to PHI.
  4. Security Incident Procedures: Detect, document, and respond to security incidents.
  5. Contingency Plan: Make backups of all ePHI, and start the process for continuous protection of ePHI during emergencies
  6. Evaluation: Regular evaluation of HIPAA to ensure persist compliance.
  7. Business Association Agreements and Other Arrangements: Sign agreements with partners ensuring they follow HIPAA.

2. Physical Safeguards (§164.310): This rule covers the following requirements:
Facility Access Control: It covers the following requirements.

  1. Demonstrate methods to allow facility access in support of recovering lost data.
  2. Demonstrate policies to safeguard the facility from unauthorized physical access, changing, and theft.
  3. Validating an individual’s access to facilities based on their role or function.
  4. Report the modifications to the physical portions of a facility related to security.
  5. Workstation Use: Control functions and physical attributes of workstations that access ePHI.
  6. Workstation Security: Restrict access to workstations that access ePHI to authorized users only.
  7. Business Association Agreements and Other Arrangements: Sign agreements with partners ensuring they follow HIPAA.
  8. Device and Media Controls: It covers the following requirements.
  9. Implement secure policies for disposal of devices/media storing ePHI.
  10. Implement policies for secure removal of ePHI before device/media can be re-used.
  11. Maintaining a record of the development of devices/media containing ePHI and any individual responsible for it.
  12. Backing up ePHI, when required, before the development of equipment.

3. Technical Safeguards (§164.312): This rule covers the following requirements:
Access Control: It covers the following requirements:

  1. Unique Identifier required to decide user identity in electronic records.
  2. Emergency methodology required for getting electronic PHI (ePHI) during an emergency.
  3. Automatic logoff that terminates an electronic session after a time of inactivity.
  4. Encryption and decryption of ePHI.

Integrity: It covers the following requirements:

  1. Implement components to authenticate the validity of ePHI.
  2. Ensure access to ePHI is the one claimed.
  3. Ensure that electronically transmitted ePHI is encrypted and isn’t inappropriately modified without detection.

Consequences of HIPAA violations

HIPAA violations Minimum Penalty Maximum Penalty
The covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of the HIPAA violation. $100 per violation, with an annual maximum of $25,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation was due to reasonable cause and not due to wilful neglect. $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation was due to wilful neglect and was corrected within 30 days of when the covered entity or business partner knew or should have known, of the violation. $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation was due to wilful neglect and not corrected within 30 days of when the covered entity or business partner knew or should have known, of the violation. $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

Here

  1. Reasonable cause is defined by HIPAA as “an act or omission in which a covered entity or business partner knew, or by practicing reasonable diligence would have known, that the act or omission violated, but in which the covered entity or business partner did not act with wilful neglect.”
  2. Wilful neglect means the “conscious, intentional failure, or reckless indifference to the commitment to comply” with HIPAA.

How Nemasis helps to achieve HIPAA?

Nemasis is a vulnerability management suite and helps to covered entities by assessing your environment for risks across vulnerabilities, configurations, and controls, from the endpoint to the cloud. It prioritizes the risks and vulnerabilities for remediation based on exploits, malware, risk, and asset criticality. It performs a full gap analysis of your workforce’s security methods and physical controls, your device and media handling methods, data integrity controls and methods and also provides guidance for its implementation.
Nemasis provides the ability to audit password policy configurations, including its length, unpredictability, expiry, and re-use. It adjusts to real-time changes in your environment and the threat landscape and performs an immediate risk assessment.

Copyright 2024 MicroWorld Technologies Inc. - Nemasis VMS