BUSINESS ADVISORY SERVICES
HIPAA Compliance for Healthcare Clients BY DEBORAH A. NAPPI, CPA, SAX LLP
As technology continues to expand in the healthcare sector with the use of electronic health records (EHR), medical devices, telehealth, telemedicine, e-prescribing and smart phone medical applications, cybercriminals are increasing their launch of attacks on both small and large healthcare organizations. In recent months, healthcare organizations have been forced to pay ransom for the release of medical records in order to mitigate the disruption to their organization while ensuring their patients’ safety and quality of medical care. Today more than ever, it is critical to properly safeguard patient information against such attacks. As the healthcare industry began to transition from paper processes to the use of electronic systems for administrative and clinical functions, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HSS) to develop regulations to protect the privacy and security of individuals’ health information. The burden of protection falls upon medical providers, covered entities (CE) defined as health plans, heathcare clearinghouses, and healthcare providers who electronically transmit any health information, and business associates (BA), which are outside entities that create, receive, maintain or transmit protected health information in the course of performing their duties on behalf of the healthcare entity. BA services include legal, accounting, consulting, data aggregation, health information technology and subcontractors of business associates. A risk assessment and documentation of the BA’s information technology systems is also required. BAs are also held directly liable for HIPAA violations. The result of this requirement was the development of the HIPAA Privacy Rule which established national privacy standards for the protection of an individual’s health information, and the HIPAA Security Rule which established national standards for the security of electronic Protected Health Information (ePHI). In
12
MAY/JUNE 2018 | NEW JERSEY CPA
addition, the Breach Notification Rule requires CEs and BAs to provide notification following a breach of unsecured Protected Health Information. HIPAA PRIVACY RULE The Privacy Rule is the most common HIPAA compliance rule. It applies to both manual and EHR systems and includes any form of protected health information, including payment. This rule has the most stringent requirements for compliance due to its significance. Providers must inform patients of the healthcare practice’s privacy and security procedures regarding the patient’s health records. While a healthcare provider owns the patient’s medical records, the patient has the right to access the file and to obtain copies of such records. HIPAA requires medical records to be maintained by a provider for at least six years after the later of the date of creation or the date when last in effect. Longer holding periods may be required by state laws. The Security Rule was established for security protection of electronic medical
records by the adherence of security protocols to avoid cyber attacks and data loss. The Security Rule has several safeguards and requirements which must be adhered to: 1. Administrative safeguards: Actions, policies and procedures to prevent, detect and correct security violations. Healthcare providers are required to perform a risk analysis as part of their security management process. This process would evaluate the likelihood and impact of potential risks to electronic patient medical records and then implement security measures to address the risks identified. Documentation of the security measures along with continuous maintenance of these measures is required. In securing both manual records and electronic medical data, there are many questions that should be asked of your healthcare organization. At a minimum, the basic issues that should be addressed are as follows: yy How are your paper files and computer files secured? yy How have you ensured that only authorized personnel access or