Auditing for HIPAA

Question 1

What is a HIPAA Security Risk Assessment?

Answer 1

Prior to implementing safeguards, organizations need to know what kind of PHI they can access, where they have gaps and security risks, and what can threaten the integrity and security of PHI. HIPAA stipulates that covered entities and their business associates complete a thorough risk assessment to identify and document vulnerabilities within their business.

Question 2

Performing a security risk analysis is the first step to identify vulnerabilities that could result in a breach of PHI.

Answer 2

HIPAA doesn’t give instructions on how a risk analysis should be conducted, because the rule recognizes that not only are the needs and vulnerabilities of covered entities and business associates often very different from one another, the rule is aware that different sized organizations will have access to different levels of resources. However, you do need proof that your organization has conducted a risk assessment.

Question 3

Determine the Scope of Your Risk Analysis

Answer 3

A security Risk Assessment is a thorough and accurate audit of your businesses’ administrative, physical, and technical safeguards to identify vulnerabilities and risks to the integrity and sanctity of ePHI.

Question 4

A risk analysis of your Administrative Safeguards

Answer 4

takes a long hard look at the process that your business has in place to maintain the integrity of PHI. As part of the process, ask yourself these questions:

What kind of security procedures does your business have in place?
Are your employees aware of and trained in HIPAA Security regulations?

Question 5

The Physical Safeguards portion of the assessment

Answer 5

will review the physical property of your organization to determine its vulnerabilities. Ask yourself:
Are your healthcare records locked up?
Do you have alarm and access control systems in place?

Question 6

When reviewing Technical Safeguards, evaluate

Answer 6

the technology that your organization is using to keep the electronic access, storage, or transmission of PHI secure. Evaluate:
What kind of encryptions are you using?
Are systems protected against unauthorized access?

Question 7

Your risk analysis should not just recognize current risks, but also identify

Answer 7

any potential risks that your organization could face that would threaten the integrity and confidentiality of PHI that an organization may have access to. In addition to electronic media stored on your computer and servers, this could also include CDs, jump drives, and your network.

Question 8

A HIPAA risk assessment is an essential element of

Answer 8

HIPAA compliance that can help identify areas of vulnerability and weakness to prevent data breaches.

Question 9

What is a “reasonably anticipated threat”?

Answer 9

Reasonably anticipated threats are any threats to HIPAA compliance that are foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training. This is why a “big picture” view of organizational workflows is essential to identify reasonably anticipated threats.

Question 10

Who is responsible for conducting a HIPAA security risk assessment?

Answer 10

HIPAA security risk assessments are either conducted by a HIPAA Compliance Officer; or, if the responsibility for HIPAA compliance is shared between a HIPAA Privacy Officer and a HIPAA Security Officer, the risk assessment and analysis should be conducted by the HIPAA Security Officer with assistance from his or her colleague depending on the nature of risks identified.

Question 11

What are the Penalties for Breaching HIPAA?

Answer 11

The penalties for breaching HIPAA vary according to the nature of the violation, the level of culpability, and the amount of assistance given to HHS during investigations into the breach. The penalties were originally implemented in the HITECH Act 2009 and increase each year to account for inflation.

Question 12

What Steps Should You Take for HIPAA Compliance?

Answer 12

The steps you should take for HIPAA compliance depend on the nature of your business and your access to Protected Health Information. The HHS publishes several tools to help Covered Entities determine what steps to take for HIPAA compliance; but, if you are still unsure about the requirements, you should seek professional compliance advice.

Question 13

What is the HIPAA Security Rule?

Answer 13

The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.

Question 14

What is the HIPAA Privacy Rule?

Answer 14

The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply.

Question 15

What is the HIPAA Breach Notification Rule?

Answer 15

The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission.

Question 16

What is the HIPAA Omnibus Rule?

Answer 16

The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance.

Question 17

What is the HIPAA Enforcement Rule?

Answer 17

The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violation cases. It is important to note other agencies (for example Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these may have their own procedures.

Question 18

What is the Minimum Necessary Rule?

Answer 18

The Minimum Necessary Rule – sometimes called the “Minimum Necessary Standard” or “Minimum Necessary Requirement” – is a key element of the HIPAA Privacy Rule. The Rule stipulates that HIPAA-covered entities make reasonable efforts to ensure access to PHI is limited to the minimum necessary to accomplish the intended purpose of a particular use, disclosure, or request – and nothing more.

Question 19

What are the HIPAA Retention Requirements?

Answer 19

The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years.

Question 20

Are there Rules about Sharing PHI on Social Media?

Answer 20

The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific HIPAA social media rules. However, except for permitted uses, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA, and sharing PHI on social media would come into this category.

Question 21

What is the Difference between Patient Consent and Patient Authorization in HIPAA?

Answer 21

Although not a requirement of the HIPAA Privacy Rule, Covered Entities may wish to obtain a patient´s consent before – for example – providing treatment. By contrast, a Covered Entity has to obtain a patient´s authorization via a HIPAA Release Form before disclosing personal identifiable information other than for a permitted use.

Question 22

Are Pagers HIPAA-Compliant Communication Tools?

Answer 22

This depends on pagers are being used for and what capabilities they have. If a pager is not being used to communicate ePHI, HIPAA compliance is not an issue. If a pager is being used to communicate ePHI, it has to have capabilities such as user authentication, remote wipe, and automatic log-off.

Question 23

How Does the EU´s General Data Protection Regulation Affect HIPAA Compliance?

Answer 23

While the EU´s General Data Protection Regulation (GDPR) doesn´t affect HIPAA compliance in any way, it does introduce a further set of regulations for Covered Entities and Business Associates that collect, process, share, or store data relating to EU citizens – for example if an EU citizen receives medical treatment in the USA.

Question 24

The requirement for Covered Entities and Business Associates to conduct a HIPAA risk assessment is not a new provision of the Health Insurance Portability and Accountability Act.

Answer 24

The requirement was first introduced in 2003 in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process), and subsequently extended in the HITECH Act 2009 to cover the procedures following a breach of unsecured PHI to determine if there is a significant risk of harm to an individual due to the impermissible use or disclosure.

Question 25

What Is a Transaction?

Answer 25

A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care. For example, a health care provider will send a claim to a health plan to request payment for medical services.

Question 26

Standards for Transactions

Under HIPAA, HHS adopted certain standard transactions for the electronic exchange of health care data. These transactions include:

Answer 26

Payment and remittance advice
Claims status
Eligibility
Coordination of benefits
Claims and encounter information
Enrollment and disenrollment
Referrals and authorizations
Premium payment