31 May 2019
HIPAA Compliance

HIPAA Compliance

HIPAA – Health Insurance Portability and Accountability Act (HIPAA) 1996 sets the standard for protecting sensitive patient data. The HIPAA rules are applied to any organization based in the United States which deals with health information of a person.

If you are developing a Healthcare application that is programmed to collect personal data about the person using it for the exclusive use of that person only, then the application is not subject to HIPAA compliance for medical software applications.

If however, the personal data collected will be shared with a medical professional or other HIPAA Covered Entity (a healthcare insurance organization etc), then the data is considered to be Protected Health Information (PHI) and the application needs to be HIPAA compliant. HIPAA compliance ensures that any organization that deals with PHI must make sure that all the required physical, network, and process security measures are maintained and followed.

The three major provisions addressed in the HIPAA law are: Portability, Medicaid Integrity Program (MIP) / Fraud & Abuse and Administrative Simplification.
When developing any HIPAA compliant healthcare application, it’s only the third provision that needs to be maintained and followed. The Administrative Simplification provision implements rules across the healthcare industry for standard transaction & code sets, identifiers, security and privacy.

The five major Standards or Rules maintained under HIPAA Administrative Simplification Regulations are: Privacy Rule, Security Rule, Transactions & Code Sets (TCS) Rule, Unique Identifiers Rule and Enforcement Rule.

  • The HIPAA Privacy Rule addresses the saving, retrieving or accessing and sharing operations performed on medical and personal information of any individual.
  • The HIPAA Security Rule more specifically defines national security standards to protect health data created, received, maintained or transmitted electronically that is nothing but electronic Protected Health Information (ePHI).
  • The HIPAA Transactions and Code Sets (TCS) Rule governs how the business is conducted by the health care industry electronically. It establishes the business-to-business transactions and designates the transaction standard to follow. This also determines the codes to be used.
  • The HIPAA Identifier Rule mandates uniform identifiers for plans, providers, and employers.
    * Health Plan – HIPAA mandates the adoption of a standard health identifier of health plans which would apply to all healthcare plans, healthcare providers, and healthcare clearing houses that bear electronic healthcare transactions.
    * Provider – HIPAA authorizes adoption of a standard provider identifier. The proposed rule includes a National Provider Index and all Providers receive one unique number.
    * Employer – HIPAA mandates adoption of a standard employer number. The proposed rule proposes using the Internal Revenue Service (IRS) employer identification number (EINs).
  • The HIPAA Enforcement Rule sets out the rules that govern the responsibilities and requirements of covered organizations and Associates about how it expects them to cooperate in the enforcement process. This is carried out by the HHS through two mechanisms: Investigation of complaints it receives, and through compliance reviews.

 

The HHS requires an organization hosting sensitive patient data to follow certain guidelines with regard to physical and technical safeguards.

The physical safeguards include:

  • Limited access and control facility with authorized access in place.
    This can be done by Implementing procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  • Use and access policies for workstations and electronic media.
    Implementing procedures for removal of ePHI from electronic media before the media are made available for re-use can be of use here. This can be done by maintaining a record of the movements of hardware and electronic media and any person responsible therefore.
  • Restrictions/Limitations for transferring, deleting, disposing, and re-using electronic media and ePHI.
    This can be implemented by incorporating policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed.

The technical safeguards of HIPAA require access control allowing only authorized personnel to access ePHI.
Access controls include:

  • Using unique user IDS, emergency access procedures, automatic log off and encryption and decryption procedures.
  • Audit reports or log tacking that record activity on hardware and software.

Other technical policies for HIPAA compliance cover integrity controls, or measures to be followed to confirm that ePHI is not altered or destroyed.

IT disaster recovery and offsite backup are the essential components that ensure that electronic media errors and failures are quickly rectified so that patient health information is recovered accurately and intact.

The endmost technical safeguard is network, or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to Health Information that is ePHI. This addresses all methods of data transmission, including email, internet, or private network.

 

A HIPAA violation is a breach in an organization’s compliance program that compromises the integrity of PHI or ePHI. Under the HIPAA Privacy Rule, any organisation falling victim to a healthcare data breach, as well as failing to give a patient’s access to their PHI, could result in a fine from OCR (Office for Civil Rights).

Implementing HIPAA regulations in an application could result in increase of product cost. This involves incorporating and applying physical and technical guidelines for safeguarding the Protected Health information which is required to maintain the quality of the required healthcare application.

 

Muriel Fernandes

Post Comments

* marked fields are mandatory.