Reading about all these data breaches has made me wonder,
exactly how do hospitals, clinics, insurance agencies, or any other place that
handles electronic information. In other words, how do they prove they are in
compliance? The 1996 Health Insurance Portability and Accountability Act
(HIPAA) mandates rules and regulations to protect patients’ information. There
are two separate rules for this. The first rule is the HIPAA Security Rule
which states that “standards that must be applied to safeguard and protect ePHI
when it is at rest and in transit” (HIPAA Journal). The second is the HIPAA
Privacy Rule, which just “governs how ePHI can be used disclosed” (HIPAA
Journal). The first rule can be broken into three parts: technical, physical,
and administrative safeguards”
So just
how do covered entities become compliant. The US Department of Health and Human
Services Office for Civil Rights (OCR) is responsible for tracking compliance.
The covered entities are held responsible for their compliance, as there is no
compliance certification process. Covered entities just need to make sure they
have procedures and policies in place, have a security rule assessment, make
sure they properly training employees, and document. However OCR can and has
begun audits on covered entities.
Healthsecurity.com
provided an example of what this audit looks like. A company Night Nurse had an
audit conducted against them. It covered the three phases mentioned above.
There were over 400 questions. “The questions required everything from base
descriptions of our services and procedures to in-depth descriptions of each
technical component of our system infrastructure…the report also required a
vulnerability assessment for each technology component, and how these risks
were mitigated.” (Pologe, 2017). The second part was an on-site physical
inspection to assess physical security. They also conducted hacking attempts to
get into the systems. The third and final part was about remediation. They had
to provide prove of compliance that they were at risk for.
Reading
about these audits belay my fears a little bit knowing that the covered
entities are being audited to ensure compliance. Though I think it is safe to
believe that not every program is audited every year. I do feel safer about my
health records being stored electronically. I also feel like it is safer at a
larger hospital since these seem like the most likely to be audited.
References
Snell, E. (2017). Preparing
for an OCR HIPAA Risk Assessment Audit. Retrieved from: http://healthitsecurity.com/news/preparing-for-an-ocr-hipaa-risk-assessment-audit
HIPAA Journal. HIPAA
Compliance Checklist. Retrieved from: http://www.hipaajournal.com/hipaa-compliance-checklist/
No comments:
Post a Comment