<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

HIPAA/HITECH! Another Tidal Wave – Does Anyone Remember Sarbanes-Oxley (SOX-404)?

By Fouad Khalil on November, 20 2015
Fouad Khalil

VP of Compliance with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Key areas of focus include: Information Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA Member & CISA Certified


The HIPAA Story

1996 – The Health Insurance Portability and Accountability Act (HIPAA) was passed.  Its major objectives were to 1) ensure that individuals were able to maintain health insurance between jobs and 2) to ensure the security and confidentiality of patient information/data.

The HIPAA law required the U.S. Department of Health and Human Services (“HHS”) to issue the regulations on the specific areas of HIPAA, called the rules.  These rules define uniform standards for transferring health information among healthcare providers, health plans, and clearinghouses while securing health information and ensuring patient privacy and confidentiality.

Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy and Security Rules issued by HHS or found within HIPAA.

2009 - As patient and health record information has been converted to digital files, the HHS issued regulations requiring health care providers, health plans, and other entities covered by HIPAA to notify individuals if and when their health information has been breached.  These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

2011-2012 – KPMG was awarded the contract by HHS to develop the audit protocol and then conduct audits of HIPAA Covered Entities (CE) and Business Associates (BA).  This was considered Phase 1 and a pilot.

Compliance Tidal Wave – How do I keep up?

Organizations in the health industry are facing a wide range of laws, control implementations, audits and breach notification requirements which are new and unfamiliar within the industry.  Now as a covered entity or a business associate, you are faced with the ongoing compliance found within the HIPAA privacy, security rules, and the HITECH breach notification rule.

Unfortunately, the government is not letting up any time soon – they are actually more active than ever in updating and enforcing the laws mentioned above. 

What does the near future hold?  Looking forward to 2016 – The OCR will be busy as it will be selecting approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits.  The plan is to cover more CE and BA and audit less.  One would think less is good, but less is not better in this case since the audit will focus on prior audit phase findings, to name a few criteria:

  • risk analysis and risk management;
  • content and timeliness of breach notifications;
  • notice of privacy practices;
  • individual access;
  • Privacy Standards’ reasonable safeguards requirement; training to policies and procedures;
  • device and media controls;
  • And transmission security.

Healthcare organizations today are struggling to keep us as they:

  • Face the ongoing challenge of ensuring patient information is adequately protected;
  • Must go beyond complying with the HIPAA law to develop comprehensive security risk management programs to effectively defend against evolving threats;
  • Face active audits on an annual basis with no end in sight.

 Considering the massive hacker attacks on Anthem Inc. (up to 80 Million records at risk), it's not surprising that hackers are perceived as the top emerging threat for many healthcare entities.  Many organizations say they haven’t had a breach – either they’re getting better at breach prevention, or are failing to detect them.

What should companies do?

Assess your HIPAA compliance program.  Be ready for when the OCR comes knocking.  Make sure to implement security measures beyond what the law states since ePHI has become the hottest item in cybercrime.

Boost staff members' security awareness to better prevent and detect breaches. Invest in security tools that help you reduce and even eliminate the risk of ePHI being compromised.

Expand, if not already, your compliance program to include on premise networks, off shore systems, mobile devices and of course cloud installations.  Protected health information could be everywhere.

Glossary - Acronyms used:

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996.  HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  • Reduces health care fraud and abuse;
  • Mandates industry-wide standards for health care information on electronic billing and other processes; and
  • Requires the protection and confidential handling of protected health information

 Covered entities (CE) are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

A “business associate” (BA) is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.

The mission of the Office for Civil Rights (OCR) is to improve the health and well-being of people across the nation; to ensure that people have equal access to and the opportunity to participate in and receive services from HHS programs without facing unlawful discrimination; and to protect the privacy and security of health information in accordance with applicable law.

U.S. Department of Health & Human Services (HHS) mission is to enhance and protect the health and well-being of all Americans.

Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.  Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Click to edit your new post...

Submit a Comment

Stay up to date