Administrative actions and policies and procedures:
(1) to manage the selection, development, implementation, and maintenance of security measures, and
(2) to protect ePHI and to manage the conduct of the Covered Components’ workforce in relation to the protection of ePHI.
a specific type of permission given by the individual to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations.
Generally an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation).
The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical, and technical safeguards.
Established by the American Recovery and Reinvestment Act of 2009 (ARRA), the tiered civil penalty structure below determines the cause and consequences of the HIPAA breaches. The Secretary of the Department of Health and Human Services has the ability to ultimately determine fines and penalties due to the extent of the violation on a case-by-case basis.
Sets out a course of action that is maintained for emergency response, backup operations, and post-disaster recovery. The purpose of the plan is to ensure availability of critical resources and facilitate the continuity of operations in an emergency. The plan includes procedures for performing backups, preparing critical facilities that can be used to facilitate continuity of critical operations in the event of an emergency and recovering from a disaster.
Covered Entities are defined in the HIPAA rules as:
(1) health plans,
(2) health care clearinghouses, and
(3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other healthcare providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered Entities can be institutions, organizations, or persons.
Researchers are Covered Entities if they are also health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard. For example, physicians who conduct clinical studies or administer experimental therapeutics to participants during the course of a study must comply with the Privacy Rule if they meet the HIPAA definition of a Covered Entity.
The U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a year of imprisonment. More serious offenses call for higher fines and prison time.
Medical, clinical research, and billing records about an individual maintained or used to make decisions about the individual and the individual’s treatment, which is subject to an individual’s right to request access and amendment.
The part of a Contingency Plan that documents the process to restore any loss of data and to recover computer systems if a disaster occurs (i.e., fire, vandalism, natural disaster, or System failure). The document defines the resources, actions, tasks, and data required to manage the business recovery process in the event of a business interruption. The plan is designed to assist in restoring the business process to attain the stated disaster recovery goals.
The release, transfer, provision of access to, or divulging in any other manner of protected health information outside of the entity holding the information.
An organization is in violation, but they have taken every possible step they could have foreseen to prevent that.
Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations
The communication or exchange of business documents between companies via computer.
Individual Electronic records of health-related information that are created, gathered, managed and consulted by authorized health care clinicians and staff.
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
An organization that standardizes health information. One example is a billing company that processes data from its initial format into a standardized billing format.
Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
For a full explanation of the HITECH Act, visit our HITECH page.
If a company fails to comply with HIPAA rules, they are subject to both civil and criminal penalties.
A subset of “health information,” including demographic information:
(1) that is created or received by a health care provider, health plan, employer, or health care clearinghouse;
2) that relates to the physical or mental health or condition of an individual; the provision of health care to an individual; or the payment for the provision of health care to an individual;
and (3) that identifies the individual, or might reasonably be used to identify the individual.
Protected health information that excludes all of the 16 HIPAA specified direct identifiers of the individual or of relatives, employers, or household members of the individual, but retains geographic subdivisions larger than the postal address and elements of dates. Limited data sets may only be used for research, public health or for health care operations; and only with a data use agreement that limits the use of the data by the recipient.
Refers to reasonable efforts made to limit use, disclosure, or requesting PHI must make reasonable efforts to limit PHI to the minimum necessary amount to accomplish the intended purpose.
Office of Civil Rights, the branch of the Department of Health and Human Services (DHHS) that is responsible for federal oversight of the privacy regulations.
Up through early 2012, there was no federal standard for third-party auditors to conduct a HIPAA audit. With the publication of the new Office for Civil Rights audit protocol, auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future. The new protocol covers requirements found in the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
Measures, policies, and procedures to physically protect the Covered Components’ Systems and related buildings and equipment that contain ePHI, from natural and environmental hazards and unauthorized intrusion.
The regulations at 45 CFR 160 and 164, which detail the requirements for complying with the standards for privacy under the administrative simplification provisions of HIPAA.
Any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity.
PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:
The individual’s past, present or future physical or mental health or condition of an individual; OR
The provision of health care to the individual; OR
The past, present or future payment of health care to an individual.
Information is deemed to identify an individual if it includes either the patient’s name or any other information that taken together or used with other information could enable someone to determine an individual’s identity. (Such as date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number)
PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer. PHI also excludes information related to individuals who have been deceased for more than 50 years. (see also definitions of “health information” and “individually identifiable health information”)
The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect.
Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations
A documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and an estimation of the security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. Risk analysis involves determining what requires protection, what it should be protected from, and how to protect it.
The regulations at 45 CFR 160 and 164, which detail the requirements for complying with the standards for security under the administrative simplification provisions of HIPAA.
The technical custodian of a System. This individual provides the technology and processes to implement the decisions of the System Owner. In some circumstances, e.g. small systems, typically Basic ePHI Systems, the System Administrator, and the System Owner may be the same person. System Administrators are responsible for the technical operation, maintenance, and monitoring of the System. These duties include implementing appropriate technical, physical, and administrative safeguards.
The authority, individual, or organization head who has final responsibility for Systems which create, access, transmit or receive ePHI and including responsibility for the ePHI data. In some complex Systems, the functional responsibility for the System and the responsibility for the data may lie with more than one individual. Decisions regarding who has access to the System and related ePHI data and responsibility for the Risk Analysis rest solely with the System Owner.
The System Owner usually delegates responsibility for the technical management of a System to a qualified System Administrator or staff who are capable of implementing appropriate technical, physical and administrative safeguards.
The technology, and the policy and procedures for its use, that protects electronic protected health information and control access to it.
The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that holds such information.
There are two types of willful neglect.
The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time.
Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations
The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake.
Minimum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $250,000 for repeat violations
Does your business needs help to meet and maintain HIPAA Compliance? Then please fill out the form above or give us a call today at (877) 85-RHINO for a FREE Consultation.
The first step to compliance is awareness. The next step is to give us a call.