In 1996, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It brought into existence for the first time, a set of generally accepted security standards and requirements for protecting health information. In 2009, the scope and depth of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH lay out strict standards governing information security and privacy.
While HIPAA/HITECH may be a boon for healthcare information security, they also throw up a number of challenges for covered entities in the form of costs, tracking of regulatory changes, extensive documentation, and the need for an enterprise-wide approach towards compliance management. To implement HIPAA requirements, a clear understanding of organizational risks and vulnerabilities is required. A siloed, ad hoc approach is not only inefficient but ineffective.
MetricStream HIPAA Compliance Management Software Solution
HIPAA - Title II sets national standards for electronic health care transactions. The regulation requires the security and privacy of health data during electronic data interchange in healthcare systems.
Companies providing healthcare plans, acting as clearing house for health plans, or delivering healthcare services are identified as "Covered Entities" under the HIPAA regulation. Covered entities have to follow 45 CFR §160, §162, and §164 rules to be HIPAA complaint. Their IT systems also have to ensure the privacy and security of protected health information (PHI) during the transmission and maintenance of this information in electronic media.
With HHS announcing "The Final Omnibus Rule", there have been changes to HIPAA, which extends direct liability for complying with certain HIPAA security, privacy, and breach notification rules, to Business Associates (BAs) of covered entities. BAs include Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities. The amended HIPAA rule formalizes many of the statutory changes already made in 2009, defines procedures to notify any breach, and increases penalties for non-compliance from $25,000 to $1.5 million per violation.
MetricStream provides a comprehensive framework to help organizations efficiently manage and automate HIPAA/HITECH compliance. It helps streamline all compliance aspects such as preparing policies and procedures, assessing and analyzing risks, managing audits, identifying gaps, and remedying issues. In accordance with the new HIPAA rule, the solution also aids visibility into BAs' work procedures and manage contracts and documents with respect to BAs. The solution also enables covered entities to integrate all compliance regulations on a single platform instead of managing them in separate initiatives. A centralized structure of the overall compliance hierarchy can be maintained, including processes and assets in scope, risks, controls, policies and procedures, and reporting requirements.
- Helps implement popular IT governance frameworks for confidentiality, integrity, and availability of electronic protected health information
- Enables compliance with the HIPAA Privacy and Security rule (45 CFR § 164.304) by facilitating the adoption of control based architecture for administrative, physical, and technical safeguards such as:
- Understanding and defining the information risk universe for PHI
- Determining the confidentiality, integrity, and availability requirements of PHI
- Defining and implementing the required controls
- Developing enforcement, monitoring, and response mechanisms for controls through risk assessment, auditing, and incident management
- Monitor Business Associates and prevent HIPAA violations by carrying out risk assessments, scheduling periodic audits and ensuring alignment by enabling training programs
- Generates reports for HIPAA compliance
- Helps achieve cost savings and efficiency in IT-GRC program by easily integrating with emerging frameworks and regulations such as:
- The Health Information Trust Alliance (HITRUST CSF)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- American Recovery and Reinvestment Act of 2009 (ARRA).