The HIPAA/HITECH Security Audit

The federal Health Insurance Portability and Accountability Act (HIPAA) was legislated in 1996 with the primary aim of ensuring that employees who are in the process of changing or leaving their jobs do not lose their health insurance benefits. Additionally, HIPAA sought to bring down health care fraud and abuse by mandating pan-industry standards for the protection of health care information and automated billing and other related processes, and for ensuring the security of Protected Health Information (PHI).

What is a HIPAA Security Audit?

A HIPAA Security Audit is a program under the HIPAA Privacy, Security, and Breach Notification Audit Program of the Office of Civil Rights (OCR). A HIPAA Security Audit is carried out to make sure that the policies, processes and controls on the part of Covered Entities comply with the provisions of the HITECH Act of 2009. Adherence to the requirements laid out by HITECH is mandatory.


Given the high degree of continued use of new technologies that go into and will continue to go into electronic records of patients and the criticality of the data contained in them; the US Department of Health and Human Services (HHS) recognizes that there could be chances of data breach of Protected Health Information. It is to prevent the occurrence of these breaches that a HIPAA Security Audit is mandated by the HITECH Act.

Reporting of data breaches is mandatory

The foremost highlight of the HITECH Act is the requirement that Entities covered by HIPAA report data breaches that affect 500 or more employees to the HHS. The OCR lays out an Audit Protocol, with whose policies, protocols and processes a facility has to comply if it is said to be compliant with the HIPAA Security Audit.


Why is it necessary to carry out a HIPAA/HITECH Security Audit?

Compliance with HIPAA Security Audit is necessary to demonstrate that a practice or business is well protected. The most important reason for which such entities need to be HIPAA/HITECH Security Audit compliant is – apart from ensuring protection and security of Protected Health Information –to escape from the punitive and stringent penalties that follow noncompliance with the HIPAA/HITECH Security Audit. Enforcement regulations fix a starting penalty level at $10,000 for willful negligence.

Entities and healthcare professionals can also get sued by patients for data breaches. In order to avoid these scenarios, it is ideal for an entity to be compliant with the HIPAA/HITECH Security Audit. This means that entities, as also healthcare professionals, have to create a set of sound policies and need to have a thorough grasp of the HIPAA best practices and the risk factors that present themselves, as well as ways of avoiding them.

The OCR has mentioned that for fiscal 2016, the emphasis of HIPAA/HITECH Security Audit will be on security for medical devices and electronic health records.


HIPAA Privacy Myths

HIPAA, the most comprehensive and as of now, the only truly Pan-American federal statute on health information, is unfortunately, still a target of misconceptions and myths. In particular, the Privacy Rule, which is the cornerstone of HIPAA’s rule on confidentiality of patient information, offers room for many misconceptions.

Hipaa privacy myths

A few common HIPAA Privacy Myths

HIPAA Privacy Myths regarding communication between the patient and physician

A common HIPAA Privacy Myth relates to the communication of mails between the patient and the physician. It is a common misconception that since the Privacy Rule is about ensuring the patient’s privacy; it disallows email communication between the doctor and the patient. HIPAA Privacy Rule does allow this form of communication, so that the requisite safeguards are built into the communication aimed at ensuring the confidentiality and integrity of the mails.

Transmission of the patient’s protected health information

Another of the common HIPAA Privacy Myths pertains to the transmission of patient information from one healthcare facility to another. Fact is, no permission is required for Covered Entities to disclose patient information from one clinic to another. The Covered Entity can also share Protected Health Information about the patient for legitimate purposes without the patient’s consent or knowledge.


Cumbersome and expensive HIPAA Privacy Rule regulations

Many people tend to believe that the HIPAA Privacy Rule is a tangled web of regulations that are so complex and painstaking in terms of the administrative detail that implementation of the HIPAA Privacy Rule on a national scale is going to burn a hole in the national exchequer. This is completely untrue. On the contrary, over the years, implementation of the HIPAA Privacy Rule has been bringing down the administrative costs quite significantly, resulting in saving of a few billion dollars in the long run on administrative tasks like transactions.

Directory information about the patient

One more HIPAA Privacy Myth relates to sharing of directory information about the patient. A common misconception is that a hospital cannot list a patient in its directory and cannot share this information with the public. It can, unless the patient wills otherwise. The directory information, consisting of the patient’s name, location and general condition, can be shared with those who ask for it, but only with the patient’s consent. If the patient instructs the healthcare center to stop sharing this information, the hospital has to stop sharing it.

HIPAA Gap Analysis for Healthcare Organizations

A HIPAA gap analysis is a crucial step for healthcare organizations in ensuring compliance with the HIPAA Security Rule. Why? An understanding of HIPAA gap analysis will help understand this question:

HIPAA gap analysis is defined by the US Department of Health and Human Services (HHS) as a means to evaluate or assess the extent to which there are lacunae in the implementation by the Covered Entities or their Business Associates, of the safeguards or privacy controls set out by the Security Rule.

It can be understood as an assessment tool which helps healthcare settings that come under HIPAA, to determine where they stand vis-à-vis compliance with the HIPAA Security Rule. So, a HIPAA gap analysis is a tool by which a HIPAA-administered healthcare entity examines whether it is taking all the prescribed steps to HIPAA compliance, identify the gaps, if any, and close them. It is a means to putting the organization on the path to HIPAA compliance.

HIPAA Professional doctor use computer and medical equipment all around, desktop top view

Ideal to consist of a set of questions

As such, HIPAA gap analysis could ideally consist of a few queries about what all the healthcare organization has been missing in implementing its HIPAA Security Rule requirements. Some of the parameters a healthcare organization that comes under HIPAA Security Rule can use as a guide to assess the extent of its HIPAA gap include:

  • The extent to which the encryption and virus protection and other aspects of IT safety, are meeting expectations
  • The extent to which patient safety and privacy are prone to compromise
  • The best practices that its employees are implementing to secure ePHI.

protected health info

Issues that a HIPAA gap analysis is expected to address

Expectedly, a HIPAA gap analysis should cover all of the areas that make the healthcare organization vulnerable to data breaches of this ePHI. These are some of them:

  • Assessment of the susceptibility of the ePHI to breaches
  • Steps to take to reduce this risk
  • The policies and procedures that need to be put in place to do this
  • A review system that is ongoing and continuous
  • Delegating the roles and responsibilities to the officers in charge of HIPAA implementation
  • Putting the necessary security documentation protocols in place
  • Recommending and implementing data backup and recovery procedures.


Ways of performing a HIPAA gap analysis

A HIPAA gap analysis can be performed by either the healthcare organization or a third party hired for this task. Entrusting this task to third parties requires a great deal of guarantees and safeguards of both a technical and legal nature. They both have their merits and disadvantages, and it is eventually up to the organization to decide which method suits it best.

HIPAA gap analysis and Risk Analysis

There is a considerably strong relation between HIPAA gap analysis and Risk Analysis.  HIPAA gap analysis is the means to risk analysis and is not the same as, or quite as strong or mandatory as the latter. A HIPAA gap analysis is at best desirable for an organization and is not a HIPAA requirement, whereas risk analysis is.

A Risk Analysis is more comprehensive and covers far more areas than a HIPAA gap analysis. A HIPAA gap analysis is not a substitute for Risk Analysis. The fundamental standpoint by which to understand the difference between HIPAA gap analysis and Risk Analysis is that a HIPAA gap analysis only evaluates and suggests what needs to be done to meet HIPAA compliance requirements, while Risk Analysis is a means to implement all that is needed.

Some notable HIPAA Myths and Facts

The Health Insurance Portability and Accountability Act, more popularly called HIPAA, is the defining federal statute on health privacy. It was enacted in 1996 under President Bill Clinton, and is as of now the only national health privacy law in the US. Although two decades have lapsed from the time of the passage of this important legislation, there still persist many myths and misconceptions about HIPAA.

A few prominent HIPAA myths and facts

Although it is not possible to enumerate all the possible HIPAA myths and facts that need to be listed, a few common ones are described here:

HIPAA myths and facts 1: Patients can take healthcare providers to court for a HIPAA privacy violation.

hipaa privacy2

They cannot. Fact is, even if the healthcare provider commits the worst kind of privacy violation, the affected individual may only complain to the Secretary of the Health and Human Services (HHS). Appropriate investigations and subsequent penalties, if levied, will be imposed by the HHS and will be enforced by the Department of Justice (DoJ).

HIPAA myths and facts 2: Healthcare providers are allowed to share personal health information about patients with their employers.

They are not. Employers are allowed to get access to the personal health information about patients who are their employees, but only with the consent of the patient. This cannot be done without the explicit, written consent of the employee. This written permission should contain all the necessary details about the information to be shared, such as what information is to be shared, who is sharing it, till what time the information can be shared, and so on. This permission has to be endorsed by being signed by the patient.

HIPAA myths and facts 3: The patient’s family member is not allowed to pick up prescriptions and other documents related to the patient.

They are. Documents such as prescriptions, X-rays and other medical records can be picked up by the patient’s family member. In fact, a pharmacist can sell the prescribed medicines to any person other than the patient.


HIPAA myths and facts 4: Healthcare providers cannot share information about the patient with the patient’s family without written permission.

This is not so. When the situation warrants it, the patient’s family or a close friend or associate can be given information about the patient’s health condition, insurance, payments, etc. even without a formal written assent.

HIPAA myths and facts 5: Patients medical records cannot be used for marketing

This is one of the most popular myths surrounding HIPAA. Making the patient known about the details of a certain health or insurance plan is not considered marketing. In fact, this information has to be shared by the healthcare provider to help the patient take an informed decision about the health plan she wants to choose.

HIPAA Enforcement trends

Health Insurance Portability and Accountability Act (HIPAA) is a legislation of the American Congress. HIPAA enforcement consists of taking steps to confirm that rules set out in HIPAA are being complied with by the requisite entities.

Primarily passed with the intention of ensuring that employees do not lose their health insurance benefits when they change or leave their current jobs; this 1996 law also has the protection and security of Protected Health Information (PHI) as one of its chief aims. The Office of Civil Rights (OCR), which enforces actions relating to HIPAA, imposes harsh penalties on healthcare organizations and Business Associates and Covered Entities that are proven to be in noncompliance of HIPAA requirements.

hipaaEnforcement (1)

What are HIPAA enforcement actions?

The actions that the OCR takes to ensure implementation of HIPAA provisions constitute the essence of HIPAA enforcement actions. There are a good number of areas which the OCR can cite as constituting cases of HIPAA violations or noncompliance. A look at recent HIPAA enforcement actions point to a trend. These trends serve as an indicator of what to expect from HIPAA enforcement actions, which will help entities get some idea of what they should implement and what they should not and thus prevent being cited by the OCR.

Security risk assessments are the foremost element of HIPAA enforcement actions

A look at recent trends suggests that HIPAA enforcement actions mainly target security risk assessments. This leads to harsh penalties, as happened in the case of New York-Presbyterian Hospital (NYP). The hefty $ 4.8 million penalty slapped in 2014 on this hospital was for data breach caused by insufficient security risk assessment. While this is the biggest sum fined; the OCR issued at least three other hospitals for putting in place inadequate security risk assessments in 2014.

Continue Reading :

Choosing the right HIPAA/HITECH Compliance Solutions

HIPAA/HITECH require a high degree of compliance with the standards set out in them. Covered Entities, consisting of Business Associates, healthcare providers and health plans have to implement provisions of the HIPAA/HITECH.

hitechComplianceSolutions (1)

Why are HIPAA/HITECH Compliance Solutions needed?

HIPAA/HITECH Compliance Solutions are needed for all these entities simply because they have no choice in implementing these. Given the extreme importance their work has – namely security of Protected Health Information (PHI) – entities in the healthcare sector have to ensure a high degree of confidentiality of patient data.

This is where HIPAA/HITECH Compliance Solutions help. It is manually impossible to do this. This is not only because manual work slows the process, but also because the whole system of patient data is automated, allowing no scope or opportunity for manual work. HIPAA/HITECH Compliance Solutions ensure that the software that goes into them carries out the required work in a streamlined and organized fashion. The software is built and programmed to take into consideration all the elements of HIPAA/HITECH Compliance.


These HIPAA/HITECH Compliance Solutions are there only to ensure that the system carries out its tasks without any glitches or inaccuracies. HIPAA/HITECH Compliance Solutions are a great means to help entities carry out their work, because the cost of noncompliance with the provisions of HIPAA/HITECH is exorbitant, to say the least. Many an organization has been forced to cough up penalties that run into many times their profits only because they failed to implement the core provisions set out in HIPAA/HITECH.

What should one look for in HIPAA/HITECH Compliance Solutions?

There are many HIPAA/HITECH Compliance Solutions that are available in the market. At the core of HIPAA/HITECH is the requirement that Covered Entities have to build the following:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards

HIPAA/HITECH Compliance Solutions should have this capability.

Read More :

HIPAA violations and law enforcement

HIPAA violations and law enforcement

Protection of health information of patients is one of the primary aims that the Health Insurance Portability and Accountability Act (HIPAA) seeks to achieve. This being the case, it is natural that whenever an entity that is tasked with protection of this data fails to achieve this, it has to face penalties and other punishments for HIPAA violations. HIPAA violations and law enforcement play a major role as a medium in ensuring that patient information is kept confidential as required by this legislation.

HIPAA violations and law enforcement are built on the national privacy standards that have been embedded into HIPAA. If any information about the patient is disclosed to any unauthorized source without authorization, this constitutes breach of patient privacy, and brings HIPAA violations and law enforcement into play.

The role of the law enforcement official

HIPAA violations and law enforcement is founded on a well-established set of fines and penalties that are prescribed for the different kinds of privacy breach. This is how HIPAA violations and law enforcement work:

HIPAA’s Privacy Rule has a definition for a law enforcement official. Any officer, official or employee of any local, State, or federal agency, or a member of an Indian tribe who has the requisite qualification can be appointed as a HIPAA enforcement official

Such an official, who has been given the power to investigate a potential violation of Protected Health Information (PHI), is empowered to prosecute an entity that is found to be violating provisions of the HIPAA. This constitutes the core of HIPAA violations and law enforcement.

Of course, such a designated person should carry the requisite legal identification documents required to establish the proof of the person’s authenticity. Any Covered Entity, including hospitals, has the right to demand proof of genuineness of the person’s identity. This said; a law enforcement official has to have the proper permissions and situations to carry out law enforcement activities for HIPAA violations.

Conditions that warrant HIPAA violations and law enforcement

HIPAA violations and law enforcement actions are warranted by certain situations. Some of these include:


Criteria for disclosing patient information

HIPAA violations and law enforcement also set out criteria for HIPAA violations and law enforcement. HIPAA inspectors cannot delve into any data arbitrarily, nor is the CE obliged to part with this information. HIPAA violations and law enforcement require this three-tier “test” for information to be shared with the designated officer/s: