On March 26, 2013, rule changes under the recent HIPAA (Health Insurance Portability and Accountability Act) legislation have come into effect which mean that "business associates" of covered entities (health plans or health care providers) are directly liable for compliance with the HIPAA privacy and security rules. "Business associates" [which generally are those businesses who use or have access to Protected Health Information (PHI) from covered entities] must comply with these changes by September 23, 2013 or face criminal and severe civil penalties. Businesses which may unknowingly also be subject to these rules include accounting firms, law firms, investigators, independent adjusters, auditors, data storage companies, copy services and information service providers amongst others.
To avoid any penalties for yourself or your business, it is important to comply by implementing safeguards which require businesses to allow only the minimum number of people necessary to access PHI as well as making mandatory disclosures, including at times to the media, whenever PHI privacy has been jeopardized.
What Measures Should You Put into Place to Ensure Compliance?
It is important that businesses adopt policies and procedures to limit access to only those job roles which require PHI access, while also ensuring security measures are strictly adhered to including locking filling cabinets and protecting files with multiple passwords. Businesses must follow the administrative safeguards put in place to protect privacy as well as further identifying and analyzing any potential risks to PHI to reduce the risks of a breach of privacy to an acceptable level.
To assist in performing periodic assessments of its security policies and ensuring compliance with the security rules, businesses should also designate a security official to be in charge of developing and enforcing all security policies. Along with this, businesses must also appropriately supervise its workforce who have access to PHI and must train all members in regards to its security policies and procedures. Any workers who violate the security procedures should be subject to sanctions.
Furthermore, businesses must sign written contracts with outside vendors (including copy services and storage facilities) insuring compliance with HIPAA's security rules before they have any access to PHI.
Aside from administrative safeguards, businesses must also comply with the HIPAA Act with physical safeguards too. As mentioned earlier, businesses must limit physical access to its facilities while ensuring authorized access is permitted. They must also ensure security procedures are followed to protect PHI in regards to the transfer, removal, disposal and re-use of electronic media. PHI must not be improperly altered or destroyed, however PHI must be removed from any electronic media if it is to be returned or re-used and all electronic PHI including policies, procedures and workforce training must be securely destroyed if it is to be disposed of. Any paper records of PHI must be shredded or otherwise destroyed so as to be unrecoverable.
Businesses must also ensure that no unauthorized access to their electronic communication networks is permitted by protecting all computers, servers and smartphones against hacking and theft to an appropriate level. It is recommended to develop access logs to track any access made into PHI.
Under the recent changes, if a security breach (including any unauthorized use or disclosure of unsecured PHI) does occur, businesses must provide notice of the breach. Businesses must conduct a risk assessment of the breach, identifying the extent to which the PHI has been exposed and identifying the persons involved and reasons for the breach. Affected individuals must be notified without unreasonable delay but in any case, no later than 60 days after discovery of the breach. If a breach has affected more than 500 residents of a state or smaller jurisdiction, the entity or business associate must also alert the press. If over 500 people have been affected regardless of location, a notice must be issued to the Department of Health and Human Services. In all cases, a business has the burden on them to show (using documentation where necessary) that all notifications have been given or alternatively prove that an impermissible use did not constitute a breach. Businesses must be able to detect and respond to any potential breach and if one occurs, must conduct staff training to prevent a recurrence.
It is important to adhere to these rules as the penalties are high. In addition to possible criminal charges, penalties rage from $100 to $50,000 for minor violations while if the violation is based on willful neglect and not corrected will be no less than $50,000 per violation. Businesses can be fined a maximum of $1,500,000 per violation per calendar year. HIPAA compliance is important to ensure you do not fall afoul of the law. If your access or use of PHI may classify you as a business associate it is important that you develop and adhere to established procedures in regards to PPI before the September deadline.
To avoid any penalties for yourself or your business, it is important to comply by implementing safeguards which require businesses to allow only the minimum number of people necessary to access PHI as well as making mandatory disclosures, including at times to the media, whenever PHI privacy has been jeopardized.
What Measures Should You Put into Place to Ensure Compliance?
It is important that businesses adopt policies and procedures to limit access to only those job roles which require PHI access, while also ensuring security measures are strictly adhered to including locking filling cabinets and protecting files with multiple passwords. Businesses must follow the administrative safeguards put in place to protect privacy as well as further identifying and analyzing any potential risks to PHI to reduce the risks of a breach of privacy to an acceptable level.
To assist in performing periodic assessments of its security policies and ensuring compliance with the security rules, businesses should also designate a security official to be in charge of developing and enforcing all security policies. Along with this, businesses must also appropriately supervise its workforce who have access to PHI and must train all members in regards to its security policies and procedures. Any workers who violate the security procedures should be subject to sanctions.
Furthermore, businesses must sign written contracts with outside vendors (including copy services and storage facilities) insuring compliance with HIPAA's security rules before they have any access to PHI.
Aside from administrative safeguards, businesses must also comply with the HIPAA Act with physical safeguards too. As mentioned earlier, businesses must limit physical access to its facilities while ensuring authorized access is permitted. They must also ensure security procedures are followed to protect PHI in regards to the transfer, removal, disposal and re-use of electronic media. PHI must not be improperly altered or destroyed, however PHI must be removed from any electronic media if it is to be returned or re-used and all electronic PHI including policies, procedures and workforce training must be securely destroyed if it is to be disposed of. Any paper records of PHI must be shredded or otherwise destroyed so as to be unrecoverable.
Businesses must also ensure that no unauthorized access to their electronic communication networks is permitted by protecting all computers, servers and smartphones against hacking and theft to an appropriate level. It is recommended to develop access logs to track any access made into PHI.
Under the recent changes, if a security breach (including any unauthorized use or disclosure of unsecured PHI) does occur, businesses must provide notice of the breach. Businesses must conduct a risk assessment of the breach, identifying the extent to which the PHI has been exposed and identifying the persons involved and reasons for the breach. Affected individuals must be notified without unreasonable delay but in any case, no later than 60 days after discovery of the breach. If a breach has affected more than 500 residents of a state or smaller jurisdiction, the entity or business associate must also alert the press. If over 500 people have been affected regardless of location, a notice must be issued to the Department of Health and Human Services. In all cases, a business has the burden on them to show (using documentation where necessary) that all notifications have been given or alternatively prove that an impermissible use did not constitute a breach. Businesses must be able to detect and respond to any potential breach and if one occurs, must conduct staff training to prevent a recurrence.
It is important to adhere to these rules as the penalties are high. In addition to possible criminal charges, penalties rage from $100 to $50,000 for minor violations while if the violation is based on willful neglect and not corrected will be no less than $50,000 per violation. Businesses can be fined a maximum of $1,500,000 per violation per calendar year. HIPAA compliance is important to ensure you do not fall afoul of the law. If your access or use of PHI may classify you as a business associate it is important that you develop and adhere to established procedures in regards to PPI before the September deadline.
0 komentar:
Post a Comment