With the addition of HITECH, State Attorney Generals gained the ability to pursue civil and criminal enforcement of HIPAA violations. Through the Department of Health and Human Services (HHS), the Office of Civil Rights Division (OCR) trains the State Attorney Generals on how to bring lawsuits against organizations that breach the acts. As technology pushes innovation and growth in the healthcare industry, securing the handling of sensitive data by covered entities is crucial to the success of healthcare organizations.
Covered entities that must remain complaint include:
- Healthcare Providers – including hospitals, nursing homes, clinics, pharmacies, doctors, psychologists, dentists, chiropractors
- Health Plans – including health insurance companies, HMOs, company health plans, Medicare, Medicaid, military/veteran healthcare programs
- Healthcare Clearinghouses – entities that process nonstandard health information they receive from another entity into a standard, such as standard electronic format or data content, or vice versa
- HIPAA also extends to “business associates” – including third-party administrators, pharmacy benefit managers for health plans, claims processing/billing/transcription companies, persons performing legal, accounting, and administrative work
HITECH promotes the adoption of electronic health records (EHRs) to improve efficiency and lower healthcare costs, expands on required concepts for information security, and defines breach violation notification and enforcement actions.
Per HITECH, non-compliance with the HIPAA can now be fined up to $1,500,000 per calendar year, for each violation. In addition, civil monetary penalties or monetary settlements may be awarded to individuals who have been affected by such data breaches. Periodically the OCR issues enforcement action reports with steep fines for violations.
Similarly, through HIPAA’s Final Omnibus Rule passed in 2013, the criteria for the Business Associate Breach Notification Rules were expanded and now include the HIPAA Security Rule, the Breach Notification Rule, and the patients’ rights portion of the HIPAA Privacy Rule.
What is the difference between HIPAA and HITECH?
HIPAA and HITECH have very marginal differences as they both aim to protect ePHI and work in tandem with one another to ensure enforced compliance. The largest difference between the two acts is that HITECH allows patients to request and obtain access reports which explain who had access to their ePHI and under what authority.
Covered Entities must adhere to both acts to remain in compliance – but HITECH strengthened the holding of HIPAA as it provided the authority to enforce HIPAA non-compliance.
How Can We Help?
Our IT Compliance and IT Security expertise assist you in determining if your entity meets the HIPAA HITECH requirements and perform various mandatory services such as:
- Gap Analysis
- HIPAA Security, Breach, and Privacy Rule Training
- HIPAA Risk Analysis (see below)
- Penetration & Intrusion Testing
HIPAA Risk Analysis
Elevate has conducted many Risk Analyses (also known as Risk Assessments) to assess information security risks and ensure HIPAA Security Rule Compliance.
Hence, we follow the guidance documents published by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) entitled,” Guidance on Risk Analysis Requirements under the HIPAA Security Rule” as it describes the nine (9) essential elements that a Risk Analysis must incorporate, regardless of the risk analysis methodology employed. It must also correlate assessments with all applicable State/Federal Security rules and regulations such as the requirements of the HIPAA Security Risk Analysis as defined in the HIPAA Security Final Rule 45 CFR 164.308(a)(1)(ii)(A).
Additionally, the HIPAA Risk Analysis is conducted in accordance with the recommended NIST 800-30 standard recommended by the OCR and the overall guidance of Implementation of HIPAA Security Rule NIST 800-66 Rev 1 Standard.
The 9 elements for the risk analysis include:
- Scope of the Analysis – all ePHI that the organization creates, receives, maintains, or transmits must be included in the risk analysis
- Data Collection – Methods for data collection of information assets with ePHI
- Identify and Document Potential Threats and Vulnerabilities Critical Analysis – Develop a critical analysis of the typical vulnerability and likelihood of threats
- Assess Current Security Measures
- Determine the Likelihood of Threat Occurrence
- Determine the Potential Impact of Threat Occurrence
- Establish a Threat Matrix
- Determine the Level of Risk
- Finalize Documentation and provide meaningful recommendations to appropriately mitigate the risks.