HIPAA Compliance Checklist: Policies and Procedures Needed for HIPAA Compliance
The following is a checklist of the resources needed (and policies and procedures that should be put in place) to ensure compliance with HIPAA regulations once you have determined you are a HIPAA-covered entity:
- SUNY Business Associate Agreement (as released by Counsel’s Office in August of 2013)
The SUNY Office of General Counsel each year releases a template of the approved Business Associate Agreement. The 2013 SUNY Business Associate Agreement Template is available here.
- SUNY Risk Assessment Tool (For Suspected Breaches) - No longer the standard with trhe issuance of the 2013 HIPAA Omnibus Rule
This tool helped SUNY HIPAA-covered entities determine IF a breach has occurred PRIOR to the Final 2013 HIPAA Omnibus rule. After the passing of the HIPAA 2013 Omnibus Rule, the final rule on Breach Notification replaced the previous breach notification rule's "harm" threshold (which was reflected in the Risk Assessment tool) with a more objective standard. The final rule says a risk assessment for determining the probability that PHI was compromised should consider at least four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. In the final breach rule, HHS notes: "We have added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." To explain why the harm standard was replaced, HHS explains: "We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised."
- Summary of the HIPAA Privacy Rule from the U.S. Department of Health and Human Services website
- Summary of the HIPAA Security Rule from the U.S. Department of Health and Human Services website
- HITECH Enforcement Rule from the U.S. Department of Health and Human Services website
Also see below for more information on HITECH and its implications.
- HIPAA Enforcement from the U.S. Department of Health and Human Services website
- Business Associates: Office of Civil Rights also reminded organizations that Business Associates are going to be subject to breach notification once the HIPAA rules finalize this summer, previously only HIPAA covered entities were subject to breach notification. This change came about with the passage of the HITECH Act of 2009. The government has issued information on the Breach Notification Rule, a part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requiresHIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information; information is available from the the U.S. Department of Health and Human Services website.
- Standard Policies and Procedures you see at HIPAA covered entities:
a. Information Access and Security
b. Media Controls
c. Systems and Network Security
d. Notice of Privacy Practices
e. Right to Request Access and Amendment to Designated Record Set
f. Accounting for Disclosures
g. Request Restrictions or Confidential Communications
h. Reporting Incidents Involving the Security or Privacy of Protected Health Information; Breach Notification
i. Reporting Protected Health Information (PHI) Compliance Issues
j. Authorization Requirements for Use and Disclosure of Protected Health Information, Including Verification of Identification
k. Use and Disclosure of Protected Health Information for Research Purposes
l. Disclosure of PHI to Business Associates
m. Uses and Disclosures of PHI for Marketing
n. Uses and Disclosures of PHI for Fundraising
o. Transmission and Receipt of Protected Health Information via Fax
p. Minimum Necessary Uses, Disclosures, and Requests
q. Personal Representatives
r. Use and Disclosure of De-Identified Information and of Limited Data Sets
s. Electronic Protected Health Information (ePHI) Security Compliance: HIPAA Security Anchor Policy
t. Physical Security Policy
u. Electronic Communication of Health Related Information
v. Information System Activity Review
w. IT Security Incident Response Policy
8. OCR Audit Protocol Recommendations from the U.S. Department of Health and Human Services website
- The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
- The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
- The protocol covers requirements for the Breach Notification Rule.
HITECH Enforcement Rule
The American Recovery and Reinvestment Act (ARRA) and HIPAA (Source: Yale University)
The American Recovery and Reinvestment Act of 2009 includes legislation known as the Health Information Technology for Economic and Clinical Health (HITECH) Act which promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs. Congress recognized the increased risk to the privacy and security of protected health information (PHI) with widespread adoption of EHRs and amended the HIPAA requirements to mitigate these risks. Some key changes are outlined below:
Effective February 17, 2009
- State attorneys general can enforce HIPAA
- Civil and monetary penalties increased to maximum of $1.5 million and minimal penalty of $100 per violation imposed except in very limited cases
- Funds collected from civil penalties distributed to the Department of Health and Human Services (DHHS) for enforcement activities and to patients harmed by the violation
- Individuals as well as covered entities can be held accountable for HIPAA violations
Effective September 23, 2009
- Patients and clinical research subjects, DHHS, and in some cases the media, must be notified in the case of a breach of protected health information (PHI).
Effective February 17, 2010
- Business Associates are directly accountable for HIPAA compliance in addition to contractual requirements.
- Patients may request restrictions to billing disclosures when they self-pay
- Limited Data Sets are considered the default standard for complying with HIPAA’s Minimum Necessary standard
- Patients may request electronic copies of their PHI when the data is held in an EHR and that their records be sent to others in an electronic format.
- Limitations and prohibitions on using PHI for marketing and fundraising are strengthened and sale of PHI is prohibited.
Phased in beginning 1/1/2011
- All disclosures of PHI from an EHR must be accounted for, including those for treatment, payment and healthcare operations
The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials or the SUNY Compliance Administrator. For legal advice, consult your lawyer.