Solution Briefs
Understanding, experience and technology for success

 

HIPAA/HITECH Compliance

Enabling Healthcare Organizations Streamline and Automate Information Security Regulatory Compliance Initiatives

Introduction
In 1996, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It brought into existence for the first time, a set of generally accepted security standards and requirements for protecting health information. In 2009, the scope and depth of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both HIPAA and HITECH have gained increasing significance with the health industry's ongoing adoption of electronic information systems. These new systems – including computerized data entry applications and electronic health records (EHRs) - have significantly improved operational mobility and efficiency; but they have also thrown up new security threats. Today, electronic Protected Health Information (PHI) is constantly at the risk of being stolen, tampered with, or publicly disclosed.

To control, if not eliminate these threats, HIPAA and HITECH lay out strict standards governing information security and privacy. Covered entities, or those that are required to comply with these standards, include all entities that transmit any information in an electronic form in connection with a transaction for which the Department of Health and Humans Services (HHS) has adopted a standard.

Recently, the HHS announced ''The Final Omnibus Rule,'' which goes into effect on March 26, 2013. This rule, which makes changes to HIPAA, extends direct liability for complying with certain HIPAA security, privacy, and breach notification rules, to Business Associates (BAs) of covered entities. BAs include Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities. They will all be required to comply with the new rules by September 23, 2013.

The amended HIPAA rule formalizes many of the statutory changes already made in 2009, defines procedures to notify any breach, and increases penalties for non-compliance from $25,000 to $1.5 million per violation. With these revised set of rules, HIPAA not only expands the individual rights of patients but also tightens the breach notification requirements under the HITECH Act.

Covered entities

Healthcare providers Health plans
Business Associates
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies
  • Health insurance companies
  • Health Maintenance Organizations (HMOs)
  • Company health plans
  • Government programs such as Medicare and Medicaid who pay for healthcare
  • Healthcare Clearing Houses
  • Patient Data Storage Companies
  • Health Information Organizations
  • E-Prescribing Gateways
  • Billing Companies
  • Vendors of Personal Health Records
  • Sub-contractors dealing with PHI on behalf of BAs

The Wall of Shame
Section 13402(e)(4) of The Breach Notification Rule of HITECH Act stipulates that a list of breaches of unsecured PHI affecting 500 or more individuals be posted on the HHS website.

The public can now access brief summaries of the breach cases that the Office of Civil Rights (OCR) has investigated and closed. The names of private practice providers who have reported breaches of unsecured PHI to the Secretary will also be available in this list.

The latest report is an eye opener to the increasing rate of HIPAA/HITECH violations by covered entities in recent years.

http://www.hhs.gov/ocr/privacy/hipaa/
administrative/breachnotificationrule/breachtool.html

HIPAA requirements
HIPAA is broadly divided into two sections or titles and now includes the new final rule. Title I protects the health insurance rights of workers who change or lose their jobs. It also limits the number of restrictions that health insurance companies can impose on individuals with pre-existing health conditions.

Title II is far more influential. Also known as the Administrative Simplification provisions, it contains rules, standards, and guidelines to protect sensitive health information. These rules include the Transaction and Code Sets Rule which streamlines and secures transaction processes among healthcare institutions, and the Unique Identifiers Rule which mandates that all healthcare providers have a National Provider ID to file claims.

While these two rules are extremely important, a lot more attention is being paid to the Privacy and Security Rules, especially as the integrity of data becomes increasingly threatened. Both rules contain extensive provisions and guidelines surrounding the use, protection, and disposal of sensitive health information. With the introduction of the final rule, the focus is bound to shift to new areas of compliance, and new patient information privacy requirements.

The Privacy Rule
The Privacy Rule was instituted to protect all individually identifiable health information or PHI that is stored or transmitted. This information includes any part of an individual's medical records, health status, or payment history.

The Privacy Rule provides standards and guidelines concerning the use and disclosure of individual PHI. For instance, it allows information to be disclosed while reporting child abuse or to facilitate a particular treatment. It also enables individuals to control how their health information is used.

According to the HHS, "A major goal of the Privacy Rule is to assure that individuals' health information is properly protected, while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public's health and well-being."

The Security Rule

  • Administrative safeguards
    • Define a clear set of policies and procedures to demonstrate compliance with HIPAA requirements; ensure that vendors meet those same requirements.
    • Perform a risk analysis to evaluate potential risks, and implement the appropriate security measures.
    • Train employees on all privacy and security policies and procedures.
    • Establish a contingency plan for disasters, data loss, system failure, and other emergencies.
    • Appoint officials for developing and implementing policies as well as handling individual complaints and requests for information.
  • Physical safeguards
    • Establish effective controls to prevent unauthorized access to healthcare information.
    • Monitor equipment containing sensitive data.
    • Protect workstations from high traffic and public view.
    • Establish guidelines for the proper removal, transfer, disposal, and reuse of information media.
  • Technical safeguards
    • Prevent unauthorized access to systems through password locks, system encryption, unique user ID, automatic log off, and other such mechanisms.
    • Ensure data integrity through message authentication and digital signatures.
    • Conduct regular internal audits to identify security and privacy violations.

The Final Omnibus Rule
The new HIPAA Omnibus Rule was announced in January 2013 with an increased focus on the way covered entities work in conjunction with their BAs. The long-awaited revisions have been made in view of the fact that BAs are responsible for a majority of the nation's healthcare data-loss incidents.

The reforms require healthcare organizations to assess their compliance status against HIPAA's new rules. Director, HHS Office for Civil Rights, Leon Rodriguez, in a press release says, "These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. "

The final rule clarifies that BAs are directly liable for any failure in disclosing PHI to the Secretary of the HHS, covered entities, or an individual or individual's designee who requests an electronic copy of PHI. The rule also makes changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalties mandated by the HITECH Act.

The revised HIPAA rule requires covered entities and BAs to:

  • Notify any breach of unsecured PHI that could cause financial, reputational, or other harm to the affected individual.
  • Modify and redistribute its Notice of Privacy Practices with description of uses and disclosures of PHIs.
  • Make BAs of covered entities directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.
  • Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit PHI sale without individual authorization.
  • Review and revise HIPAA Privacy and Security policies and procedures.
  • Extend individuals' rights to receive electronic copies of their health information.

BA agreements must be executed, as necessary to comply with the final rule. A sub-contractor who creates, receives, maintains, or transmits PHI on behalf of a BA will also fall under the radar of the new rule.

Difference between HIPAA and HITECH
HIPAA and HITECH are similar rules, as both address the security and privacy of healthcare regulations. However, section D of the HITECH Act contains important provisions that impact covered entities in new and diverse ways.

HITECH also provides newly updated civil and criminal penalties for non-compliance. In addition, it establishes new requirements for security breach notifications. For instance, it mandates that covered entities notify individuals if their PHI has been accessed by unauthorized individuals.

Another difference between HIPAA and HITECH is with regard to the accounting of disclosures of PHI. HITECH requires covered entities to account for the disclosure of PHI even when it is done for healthcare treatment or billing purposes.

Challenges of HIPAA/HITECH Compliance
While HIPAA/HITECH may be a boon to the security of healthcare information, the rules also throw up a number of challenges for covered entities:

High costs
HIPAA/HITECH compliance requires a major shift in operations. Controls have to be implemented, officials appointed, employees trained, policies and procedures drawn up, systems revamped, and paper work organized. These requirements place a major burden on costs and resources at a time when the effects of the recession are still being felt. The cost of non-compliance can range from $100 to over $50,000 per violation, with a maximum of $1.5 million for all violations of an identical provision in a year, as per the Final Rule.

Regulatory Tracking
HIPAA and HITECH are just two of the many regulations that healthcare organizations are required to comply with. Other regulations include PSQIA, Stark, SOX, PCI DSS, and CISP, each of which is stacked with complex requirements, controls and practices, and subject to constant change. For instance, HIPAA's Transaction and Code Sets Rule has been upgraded from version 4010 to version 5010. Identifying the gaps between the two versions is a prominent challenge. Organizations also need to keep track of the variations in regulations from state to state. Understanding which requirements apply to covered entities, and how controls must be implemented can be extremely cumbersome.

Extensive documentation
Covered entities – especially healthcare providers – are already reeling under tremendous paperwork, lengthy documentation, patient records, and more. To top it off, they have to organize documentation for various compliance regulations. HIPAA covered entities are required to develop written policies and procedures that are consistent with HIPAA requirements. These documents have to be maintained for six years, in addition to other information such as privacy practices, notices and complaints dispositions. The tasks of collecting, archiving, and searching this information are becoming increasingly complex. Now that patients and external auditors have the right to request for information at any time, healthcare providers need to develop an efficient system to retrieve the required information quickly.

Manual limitations
Many covered entities continue to analyze risks, conduct audits, and document controls through manual, paper-based processes and stand-alone systems. Significant effort and hours are spent on collecting data from across the enterprise, organizing it into meaningful insights, and preparing reports. Now, the final rule requires that covered entities keep an eye on BAs as well. Then there are tasks such as system encryption, password implementation, data disposal, and work station protection. Tracking and monitoring these processes manually is extremely cumbersome, not to mention error-prone.

Lack of an enterprise-encompassing approach to compliance
HIPAA compliance requires covered entities to implement the appropriate controls across departments, units, nation-wide operations, and vendor locations. This calls for significant collaboration and coordination across the enterprise. However, most organizations continue to operate in isolated silos. For instance, the finance and clinical health department hardly ever interact. Consequently, HIPAA compliance processes and controls are duplicated across silos, costs are unnecessarily consumed, and time wasted. Moreover, managers often cannot gain a clear insight into enterprise-wide compliance in real-time. Neither are they fully able to track issues and corrective actions when they occur.

Securing health information
Covered entities are required to implement controls and safeguards to protect health information. The key is to adopt popular IT frameworks such as COSO and ISO 27002. But these frameworks come with hundreds of controls and guidelines. Sifting through them can be exhausting and confusing. There is also the challenge of constantly monitoring controls across the enterprise. There can be no room for laxity or error as IT systems and networks are constantly under threats. Faced with these conditions, managers can find it extremely complex and exhausting to track controls and systems.

Limited visibility into BAs' work procedures
The new rule requires BAs, who work as contractors or sub-contractors to the covered entities, to comply with HIPAA. However, BAs have their own compliance processes, procedures, and methods of reporting and providing information. This complicates covered entities' ability to monitor the status of BAs' compliance.

Managing contracts and documents
Tracking negotiations with vendors and partners, maintaining a record of earlier contracts, creating detailed contracts that cover all requirements, and ensuring that the contracts adhere to HIPAA rules are some of the crucial steps in contract management. Keeping track of all contractual obligations and adhering to the rigorous standards of contracts can be a daunting task. In-house counsel departments need to closely track parties, clauses, warranties, assignability, termination dates, notice provisions, and other important terms to make sure that the contracts are legally correct, and do not contain any loopholes that might lead to possible litigations.

Solving HIPAA compliance challenges – A streamlined, automated approach
To implement HIPAA requirements, a clear understanding of organizational risks and vulnerabilities is required. A siloed, ad hoc compliance approach is not only inefficient but ineffective. Instead, risk assessments need to be compiled into meaningful insights across business units, departments, operations, and partner locations. By doing so, organizations can gain a unified view of the vulnerabilities in their enterprise, and will be better equipped to apply the appropriate mitigation measures.

Control implementation also needs to follow a holistic, enterprise-wide approach. Not only does such an approach help to streamline workflows, but it also improves collaboration. It enables risks and controls across the enterprise to be managed from a single point of reference. Consequently, visibility and reporting can be enhanced. At the same time, independent responsibilities for the controls can be delegated to specific individuals.

A streamlined approach also improves the ease and efficiency of document management. It enables all policies, procedures, records, and data to be stored in a central repository for easy archival and retrieval.

Additional benefits can be realized through process automation. Automation helps covered entities save on costs, resources and time, while improving efficiency. It also gives managers the freedom to focus more on core profitability and business improvement than on compliance complexities.

MetricStream Solution for HIPAA/HITECH compliance
MetricStream provides a comprehensive framework to help organizations streamline and automate all aspects of HIPAA/HITECH compliance. Used by leading global health organizations, the MetricStream solution has acquired a reputation of combining best-in-class technology with relevant content.

Built on a single platform, the solution enables restrictive organizational silos to be broken down in favor of a more collaborative pattern of functioning. It helps streamline all aspects of HIPAA compliance such as preparing policies and procedures, assessing and analyzing risks, managing audits, identifying gaps and remedying issues. The solution also enables covered entities to integrate all compliance regulations on a single platform instead of managing them in separate initiatives. A centralized structure can be maintained of the overall compliance hierarchy including processes and assets in scope, risks, controls, policies and procedures, and reporting requirements.

The platform contains intuitive interfaces for ease of use. It is also flexible and scalable and can be customized to the organization's unique needs. Powerful capabilities like built-in remediation workflows, time tracking, e-mail based notifications, and risk monitoring improve operational efficiency and effectiveness. In addition, automated controls reduce the time and effort required for HIPAA compliance.

Why Choose MetricStream Solution
  • Centralized management of HIPAA compliance program spread across policy management, audits, risk assessment , training and remediation
  • Embedded content and best practices
  • Automated workflows
  • Powerful role-based dashboards for enhanced reporting and monitoring
  • Co-exist seamlessly with third party applications such as EHR systems
  • Fast implementation

 

The key features of the MetricStream solution for HIPAA/HITECH compliance are given below:

Policy and Procedure Management
The MetricStream solution provides a flexible framework to streamline the creation and management of policies and procedures in line with HIPAA/HITECH rules. This, in turn, facilitates accountability, and fosters communication.

The solution enables companies to adopt an electronic and automated approach to the development, maintenance, and communication of policies and procedures across the enterprise. The web-based system also provides a central repository to store and organize policies and procedure documents. Integrated collaboration and workflow tools can be used to access, create, modify, review, and approve policy and procedure documents globally in a controlled manner. Built-in tools support policy implementation, acceptance, exception tracking and mapping of policies to compliance requirements. The powerful analytics and reporting capability with graphical dashboards tracks each policy from origin to obsolescence, giving managers complete visibility into the system.

The stand-out feature of the solution is its ability to integrate policies and procedures with the compliance, risk, and control framework. At each section and sub-section of the policy, risks and controls can be linked. For instance, the risk of unauthorized access to patient data can be immediately associated with a password encryption control.

Risk Assessment and Mitigation
The MetricStream solution enables effective risk control through a centralized, automated system. Based on configurable methodologies and algorithms, the system helps organizations identify, assess, and prioritize risks. It also supports the creation of a centralized library that documents the source and nature of risks, response strategies, key risk indicators, and mitigating controls.

Powerful tools such as configurable risk calculators and risk heat maps monitor the risk profile of the organization and report risk activities and results. Issues that arise during the assessment are automatically routed to the appropriate personnel for remediation. Embedded control frameworks such as COSO and ISO 27002 help define a set of controls that can be used to mitigate risks.

The solution contains powerful testing capabilities to assess and monitor the effectiveness of controls. It also helps in conducting a comprehensive risk assessment of BAs via surveys. Risks are assessed and computed based on configurable methodologies and algorithms, giving organizations a clear view into a BA's risk profile.

Audit Management
The MetricStream solution enables covered entities to monitor the effectiveness of controls in a seamless, efficient manner. The solution provides end-to-end functionality for managing the complete audit lifecycle including risk assessments, audit planning and scheduling, development of standard audit plans and checklists, field data collection, development of audit reports and recommendations, review of audit recommendations by auditees, management and implementation of audit recommendations, and remediation. Periodic audits of the compliance processes of BAs can also be conducted to pre-empt any deviation from the rules.

Audits can be driven through a streamlined, systematic mechanism that enables effective collaboration across units, departments, and BAs. Automated functionalities eliminate errors and inconsistencies, while also simplifying the process. Auditors can thus focus on providing value-oriented activities such as analyzing and recognizing trends in audit data.

Document Management
The MetricStream solution provides a centralized repository for all patient records, policies and procedures, certificates, and other data. Documents can be created, modified, archived, and retrieved in a controlled, integrated manner, using the solution's powerful collaborative tools. These tools help to accelerate the review and approval process by automatically moving documents from one stage to the next.

Contract Management
The MetricStream solution provides automation capabilities for initiating, creating, reviewing, and approving BA contracts. Contracts are stored in a common repository with adequate controls for versioning, check-in, and check-out of documents. The solution allows users to search the repository based on various parameters such as parties, clauses, warranties, assignability, termination dates, and notice provisions. Built-in checklists ensure that the contracts are adhering to business standards and objectives. The solution enables monitoring the compliance levels of the Business Associates with the contract clauses by defining controls, identifying gaps and triggering preemptive remediation processes.

Reporting
The MetricStream solution automatically tracks and routes information to help managers judge the strength of internal controls, adherence to policies, and risk profile. The system provides the flexibility to create and maintain pre-defined reports as well as ad hoc or scheduled reports. It also enables stakeholders to view metrics by a variety of parameters such as by process, by business units, and by status. Easy access to the real-time data of BAs helps in generating reports to track BAs' compliance processes.

Powerful graphical dashboards provide complete visibility into enterprise-wide HIPAA compliance processes and statuses. They display statistics and data according to policy type, risk status, audit history and in-process documents. They can also be drilled down to view data at a finer level of detail.

Training Management
The MetricStream solution enables effective management of the HIPAA/HITECH training process by providing a simple framework for training delivery and tracking. It helps in maintaining course offerings and course descriptions for easy review by employees and managers, scheduling classes, conducting tests, evaluating performance, and providing feedback on instructors and course material effectiveness.

The solution triggers training automatically from a policy change. It also helps in recording training history as evidence of compliance with mandatory requirements. It measures the gap in employees' training records and allows managers to track the status of training within their departments, and monitor overall skill pool availability at the organizational level. The solution also provides the ability to conduct training sessions for BAs, enabling them to gain a better understanding of the HIPAA rules.

Certifications and Attestations
The solution provides a systematic mechanism for managing certifications in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and records, and documenting attestations and representations at appropriate stages. It provides the ability to configure and execute certifications and self-assessments based on predefined templates and schedules for designated executives.

The system supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. It also supports procedures for affirming the strength of internal controls and adherence to policies. This information rolls up to executive managers who can review and certify the overall risk and control assessment for the enterprise in conformance with HIPAA and HITECH requirements.

Issue Management and Remediation
The MetricStream solution provides powerful capabilities to improve organizational responsiveness to the issues identified. The system captures crucial details about each incident, and automatically routes it through an investigation and remediation process. It also delivers automatic notifications to the appropriate personnel.

Powerful dashboards enable mangers to associate various types of issues, perform a trend analysis, and spot recurring problems in a timely manner. Collaborative workflows drive issue investigation by assigning investigative tasks to appropriate personnel. Based on the issue, a root cause analysis can be triggered, and corrective and preventive action can be applied.

Benefits of MetricStream Solution

Using the MetricStream solution, covered entities can enjoy the following benefits:

  • Streamline and automate HIPAA and HITECH compliance across the enterprise using MetricStream GRC Platform.
  • Monitor compliance levels across the enterprise through MetricStream's powerful dashboards and reporting features.
  • Improve efficiency, simplify compliance, and minimize costs by replacing manual processes with MetricStream's automated solutions.
  • Align compliance risks with HIPAA regulatory requirements.
  • Proactively address and resolve various issues.
  • Manage all documents, policies and procedures with ease and efficiency, using MetricStream's centralized document repository.
  • Monitoring Business Associates and prevent HIPAA violations by carrying out risk

 

About MetricStream
MetricStream is a market leader in Enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions for global corporations. MetricStream solutions are used by leading corporations such as UBS, P&G, Constellation Energy, Pfizer, Philips, BAE Systems, Twitter, SanDisk, Cummins and Sonic Automotive in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management, quality processes, regulatory and industry-mandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the www.ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com.

Resources
http://www.hhs.gov/news/press/2013pres/01/20130117b.html
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html