The Health Insurance Portability and Accountability Act (HIPAA) has become business as usual for health care providers. Although the premise is simple—protect the privacy of individual data that is transmitted electronically – implementing and managing a workflow process that adheres to the Security Rule can be complicated. ComputerNetwork IT works with you to ensure your organization has the appropriate administrative, technical and physical safeguards in place to mitigate risk and avoid costly violations. 

Your cybersecurity diagnosis.

HIPAA affects each impacted business or organization differently. In order to fully understand how to effectively and securely comply with the HIPAA Security Rule as it relates to your existing IT landscape, an assessment is highly recommended. Long Beach Computer Network IT will review your existing security controls, policies and procedures, technology processes and more to get a realistic picture of your operational landscape. With this information in hand, we can establish a cybersecurity framework and prioritize security risks, all without disruption to your current operations. The following is a sampling of what to expect in an assessment:

• Identify asset management, governance practices, and risk management oversight

• Protection of data security, information processes and maintenance

• Detect irregularities and events

• Explore recovery planning and policy remediation

Don't fail on any of the HIPPA compliance checklists 

HIPAA compliance means meeting the requirements of HIPAA (the Health Insurance Portability and Accountability Act) and is regulated by the US Department of Health and Human Services (HHS). To help you understand the core concepts of compliance, we have created this guide as an introductory reference on the concepts of HIPAA compliance and HIPAA compliant web hosting. 

HIPAA Privacy Rule

HIPAA’s Privacy Rule is in place to ensure that Patient Health Information (PHI) is protected. The Privacy Rule is actually called “Standards for Privacy of Individually Identifiable Health Information.”

• Respond promptly – HIPAA legislation gives you just 30 days to get back to patient access requests. (Mandatory)

• Notice of Privacy Practices – An NPP is required to officially inform patients and subscribers of data-sharing policies. (Mandatory)

• Privacy Training – Beyond the training described above, make sure your personnel understands what data can and cannot be shared internally and externally (Required)

• Do not succumb to corruption – “Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients,” instructs HIPAA Journal. (Mandatory)

• Get authority – get permission from the patient to use redacted ePHI for research, fundraising, or marketing. (Mandatory)

• Update your copy – Your authorization forms should now include a reference to changes in the treatment of school immunizations, ePHI restriction in disclosure to health plans, and the right of patients to their electronic records. (Mandatory)

HIPAA Breach Notification Rule

HIPAA’s Breach Notification rule sets out requirements for who to notify in the event of a protected health data breach.

• Know the notification process – If a breach of ePHI occurs, you have to make both your patients and the HHS Department aware. If more than 500 people’s records are involved, you also must notify the media. (Sound like fun?) If it’s under 500 patients you have to submit a small-scale hack form through the OCR website. “These smaller breach reports should ideally be made once the initial investigation has been conducted,” said HIPAA Journal. “The OCR only requires these reports to be made annually.” All of the immediate notifications must be completed within 60 days after discovery. (Mandatory)

• Check twice for four – Make sure that your breach notification message contains these four elements:

  • A description of the ePHI and personal identifiers involved in the breach

  • Who gained unauthorized access to PHI or related information

  • Whether details were simply seen or taken – viewing vs. acquirement (if you know)

  • The degree to which risk mitigation has succeeded. (Mandatory)

HIPAA Final Omnibus Rule

The HIPAA Omnibus rule sets out additional requirements for covered entities and business associates affected by HIPAA.

• Refresh your BAA – Update your Business Associate Agreements to reflect the changes of the Omnibus Rule. (Mandatory)

• Send new BAA copies – get signed copies of the new BAA (with the Omnibus information incorporated) to stay compliant. (Mandatory)

• Refresh your privacy policy – Privacy policies must also reflect Omnibus changes. (Mandatory)

• Update the Notice of Privacy Practices – “NPPs must be updated to cover the types of information that require authorization, the right to opt-out of correspondence for fundraising purposes and must factor in the new breach notification requirements,” advised HIPAA Journal. (Mandatory)

• Finalize your training – Make sure that everyone on your staff is aware of all Omnibus Rule adjustments by conducting thorough training. (Recommended)