Introduction
Today, more than ever before, it has become increasingly apparent that the daily functioning of a healthcare institution fundamentally depends on the integrity, availability and dependability of its information systems. Patient health information, research, operations, and finance all depend on highly accessible, reliable, and robust software applications, data, and information technology infrastructure (Glaser & Aske, 2010).
Consequently, healthcare providers are required by law to strictly observe a complexity of standards as outlined in the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). This paper reviews some underlying issues related to organizational policies, procedures and documentation requirements governing health entities for HIPAA compliance.
Issues in Information Technology & Reporting Data
One of the underlying issues covered in the document is the need for covered entities to tighten internal and external compliance procedures by ensuring that their business associates subscribes to a set of standards and requirements aimed at ensuring the integrity and reliability of the electronic protected health information (EPHI).
This objective is achieved by ensuring that the covered entity obtains signed privacy agreements with the business associates, particularly on the use and disclosure of EPHI (HIPAA, 2007).
The second issue concerns the need for the covered entity and its associates to conduct regular audits on EPHI not only to ensure compliance with the requirements and standards outlined in the Act, but also to guarantee that EPHI is used for the intended purposes. Business associates, such as software developers, must therefore develop and implement record-level security aimed at restricting access to EPHI sorely to those who are allowed by the Act (Sarrico & Hauenstein, 2011).
The variables of EPHI that requires safeguarding as outlined in rules and regulations of HIPAA also comes out strongly in this document. Indeed, the Act requires all stakeholders – covered entities, sponsors, business associates, and subcontractors – to always ensure the confidentiality, integrity, and availability of EPHI (HIPAA, 2007).
For example, a sub-agent contracted by a business associate of a covered entity to create a component of the electronic health register (EHR) must not only ensure the confidentiality, integrity and availability of EPHI under its possession, but must agree to sign compliance agreements that appropriate the task of implementing reasonable and appropriate safeguards to the subcontractor (HIPAA, 2007; Cannoy & Salam, 2010).
Fourth, the article has comprehensively discussed how breaches to the security of patient health information should be addressed either by the covered entity or by the business associates, sponsors, or subcontractors.
Lastly, the document has outlined how policies and procedures required by the Security Rule should be incorporated with the organization’s mission and culture to enable effective implementation. Here, the covered entities are given a leeway to modify the rules and procedures of the Security Rule to fit their current business practices for policy development and implementation, as long as the modifications are documented and implemented in accordance with the requirements of the Act (HIPAA, 2007).
Security Breaches
The Health Information Technology for Economic and Clinical Health (HITECH) defines a breach as the “…acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the HIPAA privacy rule] which compromises the security or privacy of the protected health information” (Brown, 2009, p. 27).
As such, any use, disclosure of, or access to, electronic patient health information that is not expressly permitted by the HIPAA privacy rule constitutes a security breach.
For example, improperly disclosing patient health information that contains the name of the patient and dates of his/her appointments to a third party who is not allowed by the HIPAA security rule to have access to such information constitutes a violation of the privacy rule but not a substantial risk; however, the improper use or disclosure of sensitive patient information, such as the type of services received by the patient, constitutes a breach since such disclosure could result in harm to the patient (Brown, 2009)
Technologists working in the covered entity should report the breaches to the individuals who could be harmed as a direct consequence of the breach. Serious breaches, such as those involving more than 500 patients in a given state or jurisdiction, must be reported to the media and the Secretary to the Department of Health and Human Services (HHS).
For breaches involving less than 500 patients, however, the technologists need to report to the administration of the covered entity, who then maintain a log of the reported breaches with the aim to notify the HHS not late than 60 days after the expiry of the calendar year (Brown, 2009).
Requirements
The requirements noted in the document include: organizational requirements; requirements for group health plans, and; policies, procedures and documentation requirements.
Under the organizational requirements, the covered entity is required to enter into binding contracts or other arrangements with business associates who will have direct access to the covered entity’s EPHI with a view to ensure the effective implementation of administrative, physical, and technical safeguards that realistically and correctly protect the confidentiality, integrity, and availability of EPHI.
This requirement also outlines ways through which the business associates should report breaches to the security and privacy of patient data, and the consequences for non-compliance (HIPAA, 2007).
The standard on the requirements for group health plans obliges the “…group health plan to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard EPHI that it creates, receives, maintains or transmits on behalf of the group health plan” (HIPAA, 2007, p. 5).
This implies that the plan sponsor of the group health plan who has access to sensitive electronic patient health data is required by the Security Rule to plan documents using a language which is similar to that already required by the Privacy Rule.
Consequently, the sponsor must not only ensure reasonable and appropriate safeguards to the confidentiality, integrity, and availability of EPHI under its disposal, but must also ensure that any agent, including a subcontractor, to whom it avails this data is obliged to implement rational and appropriate security directives to safeguard the information (HIPAA, 2007).
Lastly, the requirements deal with issues of how a covered entity may modify its policies and procedures to fit its mission and organizational culture, provided that the modifications are documented and implemented in accordance with the Security Rule (HIPAA, 2007).
According to Withrow (2010), these requirements provide the covered entities with the flexibility they need to implement the policies and procedures of the Security Rule according to their standard business practices, but they must take caution not to circumvent the requirements as enshrined in the Security Rule.
In documentation standard, covered entities are not only required to retain documentation for a specified number of years (6 years) from the date of its creation or up to the date when the document was last in effect, but they are also supposed to make the documentation available to the individuals responsible for implementing the procedures to which the documentation pertains (HIPAA, 2007). Reviewing and updating the documentation as needed is also a requirement.
IT Workers
To ensure adherence to the requirements discussed above, the covered entities must embrace extensive and regular training of all employees, but with particular emphasis to employees in their information technology departments (Sarrico & Hauenstein, 2011).
The rules, standards, and requirements contained in the HIPAA are complex, thus the need for IT workers to undertake comprehensive training aimed at enlightening them on scenarios that may compromise the security and privacy of EPHI to a level that may make the entities non-compliant. Indeed, the extensive training and education should be extended to the employees of the business associates.
Non-Compliance of the Requirements
Organizations are often found to be non-compliant to the standards and requirements discussed in this paper due to a number of reasons, with the major one being the lack of proper understanding of what may be considered as a breach to the security and privacy of EPHI (Withrow, 2010).
For example, healthcare organizations may not know that some simple acts such as a nurse giving a hospital discharge sheet to the wrong patient may constitute a breach if the health information (e.g., treatment for drug abuse) of the rightful owner is included in the discharge sheet.
Varied interpretations of the standards have also been cited as a major cause of non-compliance (Sarrico & Hauenstein, 2011). Lastly, failure on the part of the covered entity to implement policies and strategies that lead to reasonable and appropriate protection of the confidentiality, integrity, and availability of EPHI occasions non-compliance.
Conclusion
The legal liability for non-compliance of HIPAA may be a turning point for any healthcare organization – from a profit-making entity to sudden demise (Sarrico & Hauenstein, 2011). Equally, EPHI is sensitive in nature and all efforts should be made to protect and safeguard this information with a wider scope of safeguarding the character and reputation of individuals. It is therefore imperative for health institutions to follow the standards and requirements contained in HIPAA to the latter if they are to kill the two birds with one stone.
Reference List
Brown, B. (2009). Notification requirements for breaches of protected health information. Journal of Health Care Compliance, 11(6), 27-30.
Cannoy, S.D., & Salam, A.F. (2010). A framework for healthcare information assurance policy and compliance. Communications of the ACM, 53(3), 126-131.
Glaser, J., & Ake, J. (2010). Healthcare IT trends raise bar for information security. Healthcare Financial Management, 64(7), 40-44.
HIPAA. (2007). Security standards: Organizational, policies and procedures and documentation requirements. Web.
Sarrico, C., & Hauenstein, J. (2011). Can EHRs and HIEs get along with HIPAA security requirements? Healthcare Financial Management, 65(2), 86-90.
Withrow, S.C. (2010). How to avoid a HIPAA horror story. Healthcare Financial Management, 64(8), 82-88.