Identify, Manage, and Reduce your Risks

 

Quick Links
Altius IT roadmap (AIR)
Top 10 audit questions
Industry experience in this area
Award winning security newsletter
Contact our experts about your needs

 

HIPAA Implementation Roadmap

September 15, 2007

Introduction

HIPAA imposes responsibilities on health care entities and their business associates who receive, transmit or use protected health information (PHI).  HIPAA's regulations include health plans such as employer sponsored plans, insurance companies, HMOs, health care providers that conduct specific transactions electronically, and others.  Examples of HIPAA regulated employer health plans include:

  • Medical Plans
  • Dental Plans
  • Health Flexible Spending Accounts
  • Retiree Medical Plans
  • ERISA covered Employee Assistance Plans

Assessments help health care organizations identify, manage, and reduce their risks related to Protected Health Information (PHI) and Health Information Technology (HIT).

Protected Health Information (PHI) and Health Information Technology (HIT)

Protected Health Information (PHI) and Health Information Technology (HIT) refers to any information that identifies an individual and relates to at least one of the following:

  • The individual's past, present or future physical or mental health
  • The provision of health care to the individual
  • The past, present or future payment for health care

Protected Health Information, when used alone or in combination with other data, can uniquely identify a specific person.  Examples of PHI include:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, ZIP code)
  • All elements (except years) of dates related to an individual (e.g. birth date, admission date, etc.)
  • Telephone number
  • E-mail address
  • Social Security number
  • Web URL

Instead of removing the data, a health care organization can "de-identify" the information, making it more general.  For example, replacing birth date with an age range.

Uses of Protected Health Information (PHI)

Protected Health Information is frequently used when a health care organization receives, transmits, or uses information.  Examples include:

  • Requests for payment from health care provider/claims processing
  • Inquiry from participant regarding eligibility or coverage/help desk function
  • Coordinating benefits
  • Utilization review and underwriting

Permitted uses and disclosures of Protected Health Information include:

  • Communications to and from the individual
  • With the individual's consent or authorization
  • For “Treatment, Payment or health care Operations” (TPO), but limited to the “minimum necessary”
  • Public policy disclosures
  • “De-identified” disclosures

Minimum Necessary Requirement

HIPAA requires that health care organizations limit the use or disclosure of information to the minimum amount necessary to accomplish the necessary duties and procedures.  Organizations must make a reasonable effort to protect information.  The minimum necessary disclosure requirement does not apply to:

  • Communications with health care provider for treatment
  • Disclosures to the individual
  • Disclosures required by law

To comply with the minimum necessary requirement, organizations should ask if they can complete their duties with less information.  Organizations should also ask if they can accomplish their duties with fewer people accessing the information. To minimize access to data, organizations must:

  • First identify who needs access to PHI
  • Identify information and conditions of access
  • Make reasonable efforts to limit to above

Before HIPAA, an accounting employee attempting to cut company costs could request protected health information from the medical plan. Under HIPAA, only summary health information may be disclosed.

Electronic Protected Health Information (EPHI)

Electronic Protected Health Information (EPHI) refers to any protected health information (PHI) which is created, stored, transmitted, or received electronically. Some examples include:

  • Personal Computers with their internal hard drives used at work, home, or traveling
  • External portable hard drives, including iPods
  • Magnetic tape or disks
  • Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and floppy diskettes
  • PDA’s, smartphones
  • Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections
  • Any new devices for accessing, transmitting, or receiving ePhi electronically will be covered by the HIPAA Security Rule.

10 Steps to Compliance

Organizations following a managed approach have a greater chance of identifying, managing, and reducing their risks.  Recommended steps include:

  • Appoint a privacy officer.  The privacy officer establishes guidelines, receives complaints, etc.
  • Separation of duties.  Implement protocols to assure adequate separation of duties.  Restrict access to information and assure minimum necessary information exposure.
  • Policies.  Develop policies and procedures, impose limitations on access and use of private health information (PHI).
  • Access.  Identify the information needed by each employee and required access to information.  Establish procedures and controls to limit access.
  • Employee training.  Provide training as needed, establish the training frequency, etc.
  • Business Associates.  Review and modify contracts, obtain compliance assurances, etc.
  • Privacy Notice.  Create and distribute Privacy Notices, assess your organization's web site to ensure it complies with the California On-line Privacy Protection Act.

Altius IT's HIPAA 10 Step Implementation Roadmap helps organizations meet compliance requirements.

Assessment

Network and security assessments help organizations:

  • Review their HIPAA implementation, document current status, and identify gaps
  • Comply with HIPAA and other regulations such as the California On-line Privacy Protection Act)
  • Reduce risks when sharing information within and outside the organization

Summary

HIPAA's privacy standards address the use and disclosure of health information, patient consent and authorization for the use of information, patient rights to review their health information, and demand an accounting of disclosures of health information.

HIPAA's security standards for health information including administrative, technical and physical safeguards to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information.

HIPAA's electronic interchange sets standards for use and disclosure of certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment, etc.

The privacy and security requirements demand a significant commitment of time and resources.  Network and security assessments help organizations cost effectively meet compliance requirements by identifying, managing, and reducing their risks.


Publication and Author Information

Jim Kelton is president of Altius IT, an IT risk management consulting company based in Santa Ana, California. Mr. Kelton has over 30 years of experience in the Information Technology industry and is recognized as a security expert.  He is certified by the Information Systems Audit and Control Association (ISACA) as a Certified Information Systems Auditor (CISA).

Jim Kelton
Altius Information Technologies, Inc.
1506 Brookhollow Drive, Suite 122
Santa Ana, CA 92705
(714) 442-6670

 

 
Take our Challenge.   Copyright © 2006-2008 Altius Information Technologies, Inc.  All rights reserved.    On-line Support.    Privacy.    Site Map.    Contact Us.