Healthcare firms and people serving shoppers that deal with digital well being information know that they’re required to maintain particular person’s well being information protected, non-public, and out there to be able to adjust to the Health Insurance Portability and Accountability (HIPAA) Act of 1996. Failing to take action can result in main fines and reputational injury, however many companies will not be clear on the small print of how HIPAA extends to their IT setting. The last HIPAA omnibus rule, printed in 2013, alters the Act’s Privacy, Security, and Enforcement Rules to implement the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act. Since then, any firm that requires HIPAA compliance additionally wants to take care of HITECH compliance, which is greatest achieved by having its servers hosted in an setting licensed for HITECH by a third-party audit.
The HITECH Act is the regulation which governs digital protected well being data (ePHI), extending the protections HIPAA applies to non-public well being information to digital methods. It applies sure HIPAA Privacy and Security necessities to enterprise associates of coated entities, which makes it necessary to grasp for any enterprise coping with well being information. Even for these companies already topic to HIPAA, being compliant with HITECH additionally means taking a number of steps past these required by HIPAA alone.
Download our SMB HIPAA Guide to study in regards to the related legal guidelines that impression your healthcare enterprise and customary HIPAA terminology you might want to know.
What Are My Responsibilities Under HITECH?
HITECH has 4 sections: the primary units requirements for interoperability and significant use; the second part units requirements for testing well being IT methods; the third part covers grants and loans related to the Act; the ultimate part offers with privateness.
The first part of the Act defines a number of totally different roles within the storage and use of ePHI. This is what establishes the necessities for the enterprise associates of coated entities, which embody IT service suppliers reminiscent of medical billing firms, well being data exchanges, and profit managers. Therefore, HITECH requires coated entities to have enterprise affiliate agreements (BAAs) in place with their service suppliers. Not solely that, however the necessities for these contracts are extra in depth than they initially have been beneath HIPAA, that means that some present BAAs, notably if they’re legacy agreements drawn up previous to the passage of HITECH, don’t meet all the necessities.
The HITECH Act requires basic compliance with the HIPAA’s Security Rule and Privacy Rule, however it additionally units out a lot of particular obligations which contain some enterprise associates and never others. Which HITECH Act obligations apply to the actual enterprise affiliate have to be particularly described within the BAA. Other required sections of the BAA embody breach reporting guidelines, a three-year file of all information disclosures, and any confidentiality necessities.
Patients have the best beneath HITECH significant use guidelines to request to obtain their ePHI in an digital format and to assign a 3rd celebration because the recipient of their ePHI. Further, they can request reviews detailing who their ePHI has been disclosed to, and beneath what authority, so coated entities and their enterprise associates should be sure that their methods can accommodate any such requests.
The HITECH Act requires all information breaches of any PHI which is “unsecured” (that means unencrypted) to be reported to all affected people, in addition to the Secretary of HHS, and in excessive circumstances, to the media.
Because the HITECH Act makes enterprise associates liable for a lot of HIPAA necessities, if you’re dealing with ePHI, you might want to guarantee your IT setting meets the necessities of the HIPAA Privacy and Security Rules.
Enforcement of HITECH necessities is carried out by each the Department of Health and Human Services (HHS) and state attorneys basic. They are empowered to levy fines for violations, usually with a minimal of $100, and a per-year most for a single kind of violation of $25,000. In instances of “willful neglect,” the minimal is $10,000, and a cap of $250,000 for violations of a single requirement throughout the identical 12 months. A collection of repeated violations which might be judged to be attributable to “wilful neglect” can attain as much as $1.5 million. The Office for Civil Rights inside HHS performs audits for HITECH compliance, asking staff questions to check their information of compliance necessities and looking for proof of inappropriate use or disclosure of ePHI, which is the biggest explanation for complaints.
Your IT Service Providers’ Responsibilities
The service supplier that hosts your servers is a enterprise affiliate and subsequently will need to have a compliant enterprise affiliate settlement in place. In order to allow coated entities and their enterprise associates to take care of compliance with HIPAA and HITECH necessities, infrastructure suppliers should maintain all ePHI safe and out there, and log its use in keeping with the phrases set out of their explicit BAA.
Preserving compliance with the HIPAA Security Rule whereas protecting it out there for significant use is likely one of the primary duties of your IT service supplier. Encryption have to be utilized to ePHI each at relaxation and in transit. Your service supplier ought to have strong logical entry management and an in depth information middle bodily safety system to make sure the confidentiality of ePHI whereas defending in opposition to threats. Administrative, bodily and technical safeguards have to be in place, and insurance policies and documentation have to be so as.
Likewise, your host ought to have strong measures in place to guard your servers in opposition to pure disasters, wildfires, energy outages and overheating to increase HIPAA’s information availability necessities to affected person’s digital information. At the identical time, the safety necessities for ePHI dictate that its seize, storage, and sharing needs to be minimized and likewise rigorously logged. Detailed logs are additionally one of many methods service suppliers can adjust to the rights of sufferers to retrieve their information, or details about who has accessed it.
HITECH certification doesn’t provide authorized safety for safety breaches or different compliance failures in and of itself, however somewhat reveals that the third celebration offering the certification has discovered that the service supplier’s system and practices meet the requirements of the Act. The major worth of certification, subsequently, comes from the enhancements it permits, and the reassurance it offers for areas the place no enchancment or change is taken into account needed beneath the unbiased evaluation. HITECH certification demonstrates a dedication to sincere and rigorous self-assessment, which is finally what is going to maintain affected person information protected, and maintain enterprise associates compliant.
Liquid Web is HITECH licensed by unbiased accounting agency UHY LLP, an internationally trusted auditor with in depth expertise. We are additionally compliant with different related requirements together with SSAE-16 and Safe Harbour, offering assurance to firms within the healthcare trade and their enterprise associates.