HIPPA Compliance - Research Paper Example

HIPAA COMPLIANCE Questions: 1. Discuss what Security Rule measure each corrective action element falls under and why. For each of the “5” corrective action elements mentioned in the real world case, discuss where these corrective actions fall within the Security Rule requirements and why. The first offered corrective measure undertaken by Providence Health and Services that involves the revision of policies and procedures on physical and technical safeguards falls directly under § 164.308 of Security Rule, Administrative Safeguards, which deals with various policies implementation, including security management (Krager and Krager, 86), physical and technical security of data (access authorization, access establishment and modification and security incidents procedures). HIPAA Security Rule assigns the control and monitoring over Administrative Safeguards to a security officer, who responsibility is to develop and implement the policies and procedures (gap analysis, logs audit, etc) (Krager and Krager, 88). In addition this measure is partially governed by § 164.312 (a) of Security Rule, Technical Safeguards, that obligates entities to establish technical policies that grant access to electronic data only to authorized people and software. The second corrective action offered by Providence Health and Services which is to be implemented to improve off-site transport and storage of electronic data falls under § 164.310 of Security Rule, Physical Safeguards, particularly § 164.310 (d) containing procedures on media and hardware removal and transportation, and § 164.310 (b and c), specifying workstations use and security, including physical safeguards for all workstations. Workstation access to information is to be limited strictly to the job description (Krager and Krager, 94). Moreover, the use and disposal of various storage devices, such as disks, tapes, text messaging and camera cell devices must be documented (Krager and Krager, 95). The third corrective step by Providence Health and Services, involving workforce training of the safeguards, falls under § 164.308 (5), Administrative safeguards, which cover an implementation of a security awareness and training programs, including security reminders and updates, methods of protection from malicious software, log in monitoring and password management. The training programs aim to stimulate awareness about the vulnerability of data within the electronic system (Krager and Krager, 90). Training should also include password usage and password change to ensure safety of the system (Krager and Krager, 90). The fourth corrective measure undertaken by Providence Health and Service includes the conduct of audits and site visits, which is regulated in § 164.308 (8) of Security Rule, Administrative Safeguards and § 164.312 (b), Technical Safeguards. According to Administrative Safeguards that entities are expected to perform a period technical and nontechnical evaluation of their security policies, standards and procedures. Every provider must complete the risk analysis, which includes the assessment of possible harm of loss to any software, hardware, communication, etc. (Krager and Krager, 86). Moreover, Technical Safeguards mandate the use of audit trails, tracking which password or workstation accessed information (Krager and Krager, 98). Audit trails provide necessary evidence during “after-the-fact” investigations (Krager and Krager, 98). Although Administrative Safeguards do not mention site visits of facilities, it is reasonably included in a nontechnical evaluation. In addition, as stated in Technical Safeguards (§ 164.312 (b)), entities must perform audit controls, particularly establish hardware, software and procedural mechanisms to record and analyze activity around protected health data. The fifth corrective measure, submission of compliance reports to the US Department of Health and Human Services during three years, is not directly addressed by HIPAA Privacy and Security Rules regulations. However, according to § 164.316 (2) entities are required to review documentation and conduct update as needed in response to environmental and operational changes impacting security of electronic health information. Moreover, during an audit the Centers for Medicare and Medicaid Services can request procedures and policies outlining how the provider meets administrative safeguard requirements of the Security Rule (Krager and Krager, 86). 2. How might an organizational requirement element have been helpful here? Be specific in citing items discussed in the article and relating them back to the organizational element Providence Health and Services is a covered entity, thus according to § 164.105, it must comply with HIPAA regulations. As indicated by Portland Business Journal (2008), two entities within Providence health system, Providence Home and Community Services and Providence Hospice and Home Care violated HIPAA Privacy and Security Rules losing identifiable electronic data of the patients. From legislative standpoint, HIPAA Privacy and Security differentiate between covered entities, hybrid entities and health care components. In the context of the violations of HIPAA regulations occurred, both Providence Home and Community Services and Providence Hospice and Home Care regardless of their legal status (covered entities or health care components) had to comply with those norms of HIPAA Privacy and Security Rules, that specifically address the protection and nondisclosure of electronic health information (§ 164.105 (c) and § 164.105 (e)). Business associate contract between provider and third party (clearinghouse, IT company, etc) must state that reasonably and appropriate safeguards are in place to protect the confidentiality and integrity of electronic patient information (Krager and Krager, 101). HIPAA identifies protected health information as one created or received by or on behalf of the health care component of the covered entity. Moreover, if an individual performs duties for one or more health care components of the same covered entity, such individual must not use or disclose protected health information received in the course of work. 3. The article says, “backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen.” List and discuss three safequards that may have prevented this from happening. Relate your discussion back to the specifics from the real world case. Technical safeguards of HIPAA Privacy and Security Rules § 164.321, particularly section E indicates that entities are obliged to implement a mechanism of electronic data encryption. Encryption technology changes readable text into a vast series of “garbled” characters using complex mathematical algorithms (Krager and Krager, 99). In the context of incident occurred in Providence Health and Service when media and hardware (backup tapes, optical disks and laptops) containing electronic patient information have been lost or stolen, should the data have been encrypted the chances data can be retrieved are limited. Physical safeguards of HIPAA Privacy and Security Rules § 164.310 (d) indicate that organizations should implement effective procedures and policies on receipt and removal of hardware and media with electronic protected health information into and out of a facility. In addition, entities must maintain a record of any movements of hardware and electronic media and any personnel responsible for it (Krager and Krager, 95). Administrative safeguards of HIPAA Privacy and Security Rules § 164.308, specifically part 5, organizations must conduct appropriate security awareness and training to prevent typical cases of negligence with protected health information. Periodic training is required for all staff and is to be reasonable and appropriate to carrying out personnel’s functions in the facility (Krager and Krager, 90). According to Portland Business Journal (2008), media and hardware “were left unattended…subsequently lost or stolen,” therefore training and security awareness programs either were not implemented or ineffective. REFERENCES Dan Krager, Carole H. (2008). Krager HIPPA for Health Care Professionals, Delmar Cengage Learning Providence to pay $100k for HIPAA violations. (2008). Portland Business Journal, 07/21/08. Retrieved from September 20, 2010 The HIPAA Security Rule. (2003). 45 CFR 160, 162, and 164. Retrieved from < http://web.interhack.com/publications/hipaasec/part164> September 20, 2010 Read More