The vision for this blog is to create a community of harmonious professionals across the care continuum who encourage each other in exploring digital media as a way to support businesses and families dealing with elder care.
Written on February 17th, 2010 by tasha
The new HITECH regs went into effect today. Most particularly, these include:
I’d love to hear what folks are doing to accommodate the new regs. Please comment!
In preparation for this day, I have recently been researching HIPAA and thought I might share some insights. Understand, I am not a lawyer. And my System Administrator will tell you, with the kindest, gentlest smile on his face, that I know enough to be dangerous. With those disclaimers in mind, therefore, here is my lay person’s take on performing a HIPAA tune-up.
HIPAA was originally written to protect the kind of information that would be in an electronic health record. However as a “covered entity” (and now your business associates also), privacy protections extend to anything that is considered “Protected Health Information” (PHI). While you might think that PHI includes things like diagnoses and treatment information, the definition is much broader. There is a very long list, but some examples of PHI include the obvious and not so obvious:
If I’m understanding correctly, any quasi-unique piece of data that might be used to trace back to the actual identity of the individual, even if it is NOT linked to medical treatment or diagnostic information, is considered PHI. Some compliance experts I have spoken with say that even the name of a relative is considered PHI. Working with family caregivers as I do, this is important to know.
Providing HIPAA protection involves 3 components:
With the new HITECH rules, these protections become like a string of mirrors, as the covered entity needs to be sure the business associate has protections in these three domains, and business associates need to be sure their business associates have protections who in turn…you get the picture.
The policies and physical protections are elements you will need to construct internally. In shopping for assistance for my own business, I was impressed with the consultative offerings of Trustwave. They are not set up for smaller operations (sadly, no templates for standard policies are available). But for larger enterprises, they seemed to provide a comprehensive service to assist with HIPAA compliance. Like much of the tech security industry, they are oriented around securing sensitive financial information, such as online credit card transactions. Their particular acronym for that is PCI (Payment Card Information). But many of the PCI protections actually apply to medical information and PHI, so companies such as Trustwave have expanded to include HIPAA services as well.
The technology component, especially if you do not have a large operation, will require that you contract with a specialized Internet Service Provider that is versed in the necessary protections and can provide you with logs, incident reporting, periodic security audits, etc. A simple, common sense precaution is to keep your sensitive data separated from other online data, such as your company website. The good news with this separation is that you don’t need to contract for space and traffic large enough to encompass all your Internet activities, just those that involve PHI.
Just to give you sampling of what’s out there, in my own shopping for the technology side I ran across 3 services that caught my eye:
This is by no means an exhaustive list. And I’m sure there are many other services out there. It just seemed appropriate to share some of the findings I came across in my own HIPAA tune-up in case they might prove useful for you.
Happy HITECH DAY!
Tasha
P.S. For more information on the new regulations, I would suggest the National Hospice and Palliative Care Organization’s HIPAA-HITECH tip sheet and a superb HIPAA-HITECH presentation prepared by the law office of Hogan & Hartsen.
