HIPAA Compliance can be a complex issue. Especially with advancements in technology and the rising prominence of social media and online reviews. However, there is a degree of solace in knowing that you are not alone in your quest to successfully navigate HIPAA requirements. Medical office managers across the country must be able to effectively understand the federal regulations that deal with protected health information (PHI).
The regulations safeguarding PHI is covered under the Health Insurance Portability and Accountability Act. Originally enacted in 1996, it set national standards and laid down the law for how physician offices, hospitals, and business associates are to protect sensitive and confidential health information. Commissioned with the task of writing the regulation, the U.S. Department of Health and Human Services (HHS) broke it down into two rules: the privacy rule and the security rule.
HIPAA’s Security Rule
Addressable vs Required specifications
In 2003 HHS published a final security rule, which protects the confidentiality, integrity and availability of electronic PHI. The rule specifically outlines a series of required administrative, technical, and physical security procedures for covered entities and business associates. The standard also established two types of implementation specifications—required and addressable. To better understand the difference, let’s take a look at their definitions and how it relates to your organization’s HIPAA compliance.
Required - Just how it sounds. If an implementation specification is deemed required then under HIPAA it must be implemented.
Addressable -This is where it gets a little less straightforward. HHS developed addressable implementation specifications to give covered entities flexibility when complying with its security standards. Here’s how it works:
- Covered entities must assess and analyze whether a specification is a reasonable and appropriate safeguard for its environment.
- Determining factors such as the size and capability of the organization as well as the practicality of the specification can play a key role in the decision process.
- An organization has the right to reject compliance if it is not an appropriate answer to their security needs. However, to comply with HIPAA standards you must rectify the issue by:
- Implementing another equivalent specification, or;
- Not implement one at all. However, keep in mind that documenting the rationale behind the decision is a HIPAA requirement. Failure to submit proper documentation will result in a violation and is subject to monetary penalties.
Protecting Your Organization Against Cyber-Attacks and Ransomware
Safeguarding PHI from cyber-attacks is of utmost importance. One such threat in today’s society is ransomware. This malicious software created by hackers encrypts information so that it is no longer accessible. To remove the encryption the hacker demands ransom for a decryption key that results in the unlocking of the files. To keep your organization’s information breach-free HIPAA requires the following measures:
- Implement a security management process that includes conducting a comprehensive risk analysis identifying threats and vulnerabilities to the organization’s electronic data.
- Perform security measures to mitigate or remediate any identified risks.
- Implement procedures to guard against and detect malicious software.
- Provide users with malicious software training to assist in detection and arm them with the proper procedures to report a cyber-attack should it occur.
- Put controls in place to limit access to individuals and software programs that need to have the information as required for the job at hand.
Stay Current on HIPAA Violations
With instances of data breaches on the rise all organizations that handle PHI must take the necessary steps to protect sensitive information and avoid a HIPAA violation. With routine HIPAA updates, it is necessary to ensure that your practice stays up to date on all HIPAA regulations. Our new HIPAA Compliance ebook provides best practices to help protect your office. Download it today.