HIPAA/HITECH Compliance

Favorites

Download

Both HIPAA and HITECH have gained increasing significance with the health industry’s ongoing adoption of electronic information systems. These new systems – including computerized data entry applications and electronic health records (EHRs) - have significantly improved operational mobility and efficiency; but they have also thrown up new security threats. Today, electronic health information is constantly at the risk of being stolen, tampered or publicly disclosed.

To control, if not eliminate these threats, HIPAA and HITECH lay out strict standards governing information security and privacy. Covered entities, or those that are required to comply with these standards, include all entities that transmit any information in an electronic form in connection with a transaction for which the Department of Health and Humans Services (HHS) has adopted a standard.

Covered entities

HIPAA requirements
HIPAA is broadly divided into two sections or titles. Title I protects the health insurance rights of workers who change or lose their jobs. It also limits the number of restrictions that health insurance companies can impose on individuals with pre-existing health conditions.

Title II is far more influential. Also known as the Administrative Simplification provisions, it contains rules, standards and guidelines to protect sensitive health information. These rules include the Transaction and Code Sets Rule which streamlines and secures transaction processes among healthcare institutions, and the Unique Identifiers Rule which mandates that all healthcare providers have a National Provider ID to file claims.

While these two rules are extremely important, a lot more attention is being paid to the Privacy and Security Rules, especially as the integrity of data becomes increasingly threatened. Both rules contain extensive provisions and guidelines surrounding the use, protection and disposal of sensitive health information.

The Privacy Rule
The Privacy Rule was instituted to protect all individually identifiable health information that is stored or transmitted. This information, also known as Protected Health Information (PHI) includes any part of an individual’s medical record, health status or payment history.

The Privacy Rule provides standards and guidelines concerning the use and disclosure of individual PHI. For instance, it allows information to be disclosed while reporting child abuse or to facilitate a particular treatment. It also enables individuals to control how their health information is used.

According to the HHS, ‘A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected, while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well-being.’

The Security Rule
Unlike the Privacy Rule which pertains to both paper and electronic PHI, the Security Rule focuses solely on the latter, or e-PHI. It contains a number of administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of all e-PHI. These include:

• Administrative safeguards
• Define a clear set of policies and procedures to demonstrate compliance with HIPAA requirements; ensure that vendors meet those same requirements
• Perform a risk analysis to evaluate potential risks and implement the appropriate security measures
• Train employees on all privacy and security policies and procedures.
• Establish a contingency plan for disasters, data loss, system failure and other emergencies
• Appoint officials for developing and implementing policies as well as handling individual complaints and requests for information
• Physical safeguards
• Establish effective controls to prevent unauthorized access to healthcare information
• Monitor equipment containing sensitive data
• Protect workstations from high traffic and public view
• Establish guidelines for the proper removal, transfer, disposal and reuse of information media
• Technical safeguards
• Prevent unauthorized access to systems through password locks, system encryption, unique user ID, automatic log off etc
• Ensure data integrity through message authentication and digital signatures
• Conduct regular internal audits to identify security and privacy violations

Difference between HIPAA and HITECH
HIPAA and HITECH are similar rules, as both address the security and privacy of healthcare regulations. However, section D of the HITECH Act contains important new provisions that are bound to impact covered entities in new and diverse ways. For instance, HITECH extends the scope of HIPAA rules to business associates. Prior to HITECH, business associates were accountable only to covered entities; they did not face government penalties for non-compliance. However, under HITECH, they are just as liable as covered entities to face the consequences of data breaches.

HITECH also provides newly updated civil and criminal penalties for non-compliance. In addition, it establishes new requirements for security breach notifications. For instance, it mandates that covered entities notify individuals if their PHI has been accessed by unauthorized individuals.

Another difference between HIPAA and HITECH is with regard to the accounting of disclosures of PHI. HITECH requires covered entities to account for the disclosure of PHI even when it is done for healthcare treatment of billing purposes.

Challenges of HIPAA/HITECH Compliance
While HIPAA/HITECH may be a boon to the security of healthcare information, they also throw up a number of challenges for covered entities:

High costs
HIPAA/HITECH compliance requires a major shift in operations. Controls have to be implemented, officials appointed, employees trained, policies and procedures drawn up, systems revamped and paper work organized. These requirements place a major burden on costs and resources at a time when the effects of the recession are still being felt. The cost of non-compliance can range from $100 to over $10,000.

Regulatory Tracking
HIPAA and HITECH are just two of the many regulations that healthcare organizations are required to comply with. Other regulations include PSQIA, Stark, SOX, PCI DSS and CISP, each of which are stacked with complex requirements, controls and practices, and subjected to constant change. For instance, HIPAA’s Transaction and Code Sets Rule has just been upgraded from version 4010 to version 5010. Identifying the gaps between the two versions has become a prominent challenge. Organizations also need to keep track of the variations in regulations from state to state. Understanding which requirements apply to covered entities and how controls must be implemented can be extremely cumbersome.

Extensive documentation
Covered entities – especially healthcare providers – are already reeling under tremendous paperwork, lengthy documentation, patient records and more. To top it off, they have to organize documentation for various compliance regulations. HIPAA covered entities are required to develop written policies and procedures that are consistent with HIPAA requirements. These documents have to be maintained for six years, in addition to other information such as privacy practices, notices and complaints dispositions. The tasks of collecting, archiving and searching this information are becoming increasingly complex. Now that patients and external auditors have the right to request for information at any time, healthcare providers need to develop an efficient system to retrieve the required information quickly.

Manual limitations
Many covered entities continue to analyze risks, conduct audits and document controls through manual, paper-based processes and stand-alone systems. Significant effort and hours are spent on collecting data from across the enterprise, organizing it into meaningful insights and preparing reports. Then there are the tasks of system encryption, password implementation, data disposal, work station protection, etc. Tracking and monitoring these processes manually is extremely cumbersome, not to mention error-prone.

Lack of an enterprise-encompassing approach to compliance
HIPAA compliance requires covered entities to implement the appropriate controls across departments, units, nation-wide operations and vendor locations. This calls for significant collaboration and coordination across the enterprise. However, most organizations continue to operate in isolated silos. For instance, the finance and clinical health department hardly ever interact. Consequently, HIPAA compliance processes and controls are duplicated across these silos, costs are unnecessarily consumed and time wasted. Moreover, managers cannot gain a clear insight into enterprise-wide compliance in real-time. Neither are they fully able to track issues and corrective action when they occur.

Securing health information
Covered entities are required to implement controls and safeguards to protect health information. The key is to adopt popular IT frameworks such as COSO and ISO 27002. But these frameworks come with hundreds of controls and guidelines, sifting through which can be exhausting and confusing. There is also the challenge of constantly monitoring controls across the enterprise. There can be no room for laxity or error as IT systems and networks are constantly under threats. Faced with these conditions, managers can find it extremely complex and exhausting to track controls and systems.

Solving HIPAA compliance challenges – A streamlined, automated approach
To implement HIPAA requirements, a clear understanding of organizational risks and vulnerabilities is required. A siloed, ad hoc approach is not only inefficient but ineffective. Instead, risk assessments need to be compiled into meaningful insights across business units, departments, operations and partner locations. By doing so, organizations can gain a unified view of the vulnerabilities in their enterprise, and will be better equipped to apply the appropriate mitigation measures.

Control implementation also needs to follow a holistic, enterprise-wide approach. Not only does such an approach help to streamline workflows, but it also improves collaboration. It enables risks and controls across the enterprise to be managed from a single point of reference. Consequently, visibility and reporting can be enhanced. At the same time, independent responsibilities for the controls can be delegated to specific individuals.

A streamlined approach also improves the ease and efficiency of document management. It enables all policies, procedures, records and data to be stored in a central repository for easy archival and retrieval.

Additional benefits can be realized through process automation. Automation helps covered entities save on costs, resources and time, while improving efficiency. It also gives managers the freedom to focus more on core profitability and business improvement than on compliance complexities.

MetricStream Solution for HIPAA/HITECH compliance
MetricStream provides a comprehensive framework to help organizations streamline and automate all aspects of HIPAA/HITECH compliance. Used by leading global health organizations, MetricStream Solution has acquired a reputation of combining best-in-class technology with relevant content.

Built on a single platform, the solution enables restrictive organizational silos to be broken down in favor of a more collaborative pattern of functioning. It helps streamline all aspects of HIPAA compliance such as preparing policies and procedures, assessing and analyzing risks, managing audits, identifying gaps and remedying issues. The solution also enables covered entities to integrate all compliance regulations on a single platform instead of managing them in separate initiatives. A centralized structure can be maintained of the overall compliance hierarchy including processes and assets in scope, risks, controls, policies and procedures and reporting requirements.

The platform contains intuitive interfaces for ease of use. It is also flexible and scalable and can be customized to the organization’s unique needs. Powerful capabilities like built-in remediation workflows, time tracking, e-mail based notifications and risk monitoring improve operational efficiency and effectiveness. In addition, automated controls reduce the time and effort required for HIPAA compliance.

The key features of MetricStream Solution for HIPAA/HITECH compliance are given below:-

Policy and Procedure Management
MetricStream provides a flexible framework to streamline the creation and management of policies and procedures in line with HIPAA/HITECH rules. This, in turn, facilitates accountability and fosters communication. The solution enables companies to adopt an electronic and automated approach to the development, maintenance, and communication of policies and procedures across the enterprise. The web-based system provides a central repository to store and organize policies and procedure documents. Integrated collaboration and workflow tools can be used to access, create, modify, review, and approve policy and procedure documents globally in a controlled manner. Built-in tools support policy implementation, acceptance, exception tracking and mapping of policies to compliance requirements. The powerful analytics and reporting capability with graphical dashboards tracks each policy from origin to obsolescence, giving managers complete visibility into the system.

The stand-out feature of the solution is its ability to integrate policies and procedures with the compliance, risk and control framework. At each section and sub-section of the policy, risks and controls can be linked. For instance, the risk of unauthorized access to patient data can be immediately associated with a password encryption control.

Risk Assessment and Mitigation
MetricStream enables effective risk control through a centralized, automated system. Based on configurable methodologies and algorithms, the system helps organizations identify, assess and prioritize risks. It also supports the creation of a centralized library that documents the source and nature of risks, response strategies, key risk indicators and mitigating controls.

Powerful tools such as configurable risk calculators and risk heat maps monitor the risk profile of the organization and report risk activities and results. Issues that arise during the assessment are automatically routed to the appropriate personnel for remediation. Embedded control frameworks such as COSO and ISO 27002 help define a set of controls that can then be used to mitigate risks.

The solution also contains powerful testing capabilities to assess and monitor the effectiveness of controls.

Audit Management
MetricStream Audit Management Solution enables covered entities to monitor the effectiveness of controls in a seamless, efficient manner. The solution provides end-to-end functionality for managing the complete audit lifecycle including risk assessment, audit planning and scheduling, development of standard audit plans and checklists, field data collection, development of audit reports and recommendations, review of audit recommendations by auditees, management and implementation of audit recommendations and remediation.

Audits can be driven through a streamlined, systematic mechanism that enables effective collaboration across units, departments, operations and partner locations. Automated functionalities eliminate errors and inconsistencies, while also simplifying the process. Auditors can thus focus on providing value-oriented functions such as analyzing and recognizing trends in audit data.

Document Management
MetricStream Solution provides a centralized repository for all patient records, policies and procedures, certificates and other data. Documents can be created, modified, archived and retrieved in a controlled, integrated manner, using the solution’s powerful collaborative tools. They help to accelerate the review and approval process by automatically moving documents from one stage to the next.

Reporting
MetricStream Solution automatically tracks and routes the flow of information to help managers judge the strength of internal controls, adherence to policies and risk profile. The system provides the flexibility to create and maintain pre-defined reports as well as ad hoc or scheduled reports. It also enables stakeholders to view metrics by a variety of parameters such as by process, by business units, and by status.

Powerful graphical dashboards provide complete, real-time visibility into enterprise-wide HIPAA compliance processes and statuses. They display statistics and data according to policy type, risk status, audit history and in-process documents. They can also be drilled down to view data at a finer level of detail.

Training Management
MetricStream Solution enables effective management of the HIPAA/HITECH training process by maintaining a central repository of course offerings and providing a simple framework for training delivery and tracking. The solution triggers training automatically from a policy change. It also helps in recording training history as evidence of compliance with mandatory requirements. It measures the gap in employees' training records and allows managers to track the status of training within their departments and monitor overall skill pool availability at the organizational levels.

The solution enables effective management of the overall training process by maintaining course offerings and course descriptions for easy review by employees and managers, scheduling classes, conducting tests, evaluating performance, providing feedback on instructors and course material effectiveness, maintaining training records and conducting gap analyses.

Certifications and Attestations
The solution provides a systematic mechanism for managing certifications in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and records and documenting attestations and representations at appropriate stages. It provides the capability to configure and execute certifications and self-assessments based on predefined templates and schedules for designated executives.

The system supports electronic sign-offs at departmental and functional levels that roll up for executive certifications. It also supports procedures for affirming the strength of internal controls and adherence to policies. This information rolls up to executive managers who can review and certify the overall risk and control assessment for the enterprise in conformance with HIPAA and HITECH requirements.

Issue management and Remediation
MetricStream Solution provides powerful capabilities to improve responsiveness to issues identified. The system captures crucial details about each incident and automatically routes it through an investigation and remediation process. It also delivers automatic notifications to the appropriate personnel.

Powerful dashboards enable mangers to associate various types of issues, perform a trend analysis and spot recurring problems in a timely manner. Collaborative workflows drive issue investigation by assigning investigative tasks to appropriate personnel. Based on the issue, a root cause analysis can be triggered, and corrective and preventive action can be applied.

About MetricStream
MetricStream is a market leader in Enterprise-wide Governance, Risk, Compliance (GRC) and Quality Solutions for global corporations. MetricStream solutions are used by leading corporations such as Pfizer, Philips, NASDAQ, UBS, SanDisk, Subway, Fairchild Semiconductor, SunTrust Banks and Cummins in diverse industries such as Pharmaceuticals, Medical Devices, Automotive, Food, High Tech Manufacturing, Energy and Financial Services to manage their quality processes, regulatory and industry-mandated compliance and corporate governance initiatives, as well as by over a million compliance professionals worldwide via the www.ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com.

Resources

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html