Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    



Part 1: What the H?


 

HIPAA, HITECH & HITRUST: The Essentials of Healthcare Security Compliance

Any entity that handles health information or other sensitive data should be intimately familiar with HIPAA, HITECH and HITRUST. Unfortunately, some entities and/or their employees view these H-words as mere suggestions or someone else's responsibility. Others are confused by how these terms apply to them.

If you're already muttering, "What the H?" -- this series is for you. In Part 1, we'll explore the differences between these important acronyms, as well as how these concepts build upon each other to play a significant part in securing protected health information (PHI).


HIPAA

Perhaps the most well-known term in the bunch, HIPAA (Health Insurance Portability and Accountability Act) became federal law in 1996. The first of the two major components of the law protects workers from losing health insurance if they lose or change jobs.

The second component (what most people think of when they hear the term HIPAA) has been a transformative force in the healthcare world, helping to ensure the privacy and security of PHI. It also attempts to standardize the methods by which healthcare entities store and exchange sensitive healthcare information. At a high level, this component consists of the:

  • Security Rule:

This portion provides the administrative and technical requirements that healthcare entities (and their business associates) must meet to ensure confidentiality and security of PHI. Under the Security Rule, entities must assess their own potential for risks to PHI and take "reasonable and appropriate" measures to secure systems and processes. For instance, a minimum level of security for PHI is to encrypt the data.

  • Privacy Rule:

This rule, which provides rights to individuals, grants some permissions to healthcare entities for use of PHI for care and other specified purposes. If entities would like to disclose consumer health information for purposes that are not explicitly permitted by the Privacy Rule, the consumer must first give written permission using a valid HIPAA authorization. Entities then must specifically tell the consumer how they plan to use that information. HIPAA also empowers individuals by granting them greater access to and control of their health records. For example, consumers can request removal of inaccurate information on their record, or specify that healthcare providers may not share PHI with certain parties.

The main requirement for HIPAA compliance is an annual risk analysis, a process that focuses on several key requirements and controls outlined in the Security and Privacy Rules. (More on that in Part 2 online)


HITECH

HITECH, or the Health Information Technology for Economic and Clinical Health Act, was enacted in 2009 as part of the American Recovery and Reinvestment Act. It operates as an update and extension of HIPAA. Therefore, while HIPAA built the structure for regulation of health information technology, HITECH builds upon that foundation to provide more details and increased enforcement measures for HIPAA violations.

HITECH also extends HIPAA's stipulations to business associates of covered healthcare entities. This means that any organization that has access to PHI must be HIPAA-compliant. Some examples of qualifying entities include health information exchanges, insurance companies, CPA firms, billing firms, and medical transcriptionists.

Whereas enforcement of HIPAA was previously perceived as somewhat lax or inconsistent, HITECH institutes steep penalties for "willful neglect" and mandates audits by the Department of Health and Human Services (HHS). HITECH also brings new breach requirements. HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security of the PHI."

With the implementation of HITECH, entities are required to notify individuals when their information has been breached. They must also notify both the HHS and local media when the breach affects more than 500 patients. (Sound scary? Read Part 3 of our series online for real horror stories that illustrate the importance of being in compliance.)


HITRUST

Unlike HIPAA and HITECH, the Health Information Trust Alliance (HITRUST) is not a law. It is a private organization of providers (hospitals, physician practices, etc.) and payers (insurance companies) that created a certifiable framework for healthcare technology security: HITRUST CSF. This framework is designed to ensure compliance with HIPAA and several other existing security frameworks.

While HIPAA lays out the guidelines for compliance, it does not give a clear blueprint for achieving it. HITRUST, on the other hand, gives covered entities a detailed path to compliance, as well as invaluable tools for governance and risk management. It also offers an exhaustive certification process to show that an entity meets all existing security regulations for the handling, storing and transmission of PHI.

HITRUST does not use a one-size-fits all approach. Rather, its third-party assessors make recommendations to entities based on their size, scale and unique security issues. Additionally, HITRUST's CSF is not static. As specific security issues evolve, so do the requirements for HITRUST certification. If an entity completes the lengthy process of certification, it must recertify every two years.

The certification makes healthcare entities a more attractive option for consumers, as the exhaustive certification process lends credibility to their commitment to PHI security. But HITRUST is not just related to enhancing security measures. In fact, many of the large payers are requiring entities they contract with to become HITRUST-certified by the end of 2018. At that time, in order to contract with and get paid by most payers, entities will need to obtain HITRUST certification ... And that means they need to get started soon!

The good news? We'll tell you how to get -- and/or stay -- in compliance in subsequent part of this series online.


Gina B. Pruitt, CPA, CITP, CISA, CGMA, CQA, CRISC, CEMB, CCSFP, CHFP is member-in-charge of the Risk Assurance & Advisory Services practice at KraftCPAs PLLC and has more than 30 years of experience in public accounting. A HITRUST Certified CSF Assessor, KraftCPAs works extensively with healthcare providers and related entities. For more information, contact Gina at gpruitt@kraftcpas.com.






WEB:
KraftCPAs

 
Share:

Related Articles:


Recent Articles

Executive Order on Healthcare

On Thursday, Oct. 12, President Donald Trump made two decisions that signal significant changes to healthcare.

Read More

ACA Bipartisan Compromise: Update 10/19

Oct. 17, 2017 ... HELP Chairman Sen. Lamar Alexander (R-Tenn) and Ranking Member Patty Murray (D-Wash) have released a bipartisan compromise to restore funding for subsidies that help low income Americans with out-of-pocket health insurance costs while giving states more flexibility in ACA implementation. On Oct. 19, Alexander and Murray announced 24 bipartisan co-sponsors.

Read More

The Promise of Blockchain

Change Healthcare's Aaron Symanski says there are a lot of questions around blockchain ... and that's a good thing because it means there are many uses for the transformational technology in healthcare.

Read More

Change Healthcare Launches First Blockchain Solution

On Sept. 25, Change Healthcare announced the launch of the first blockchain solution for enterprise-scale use in healthcare, enabling payers and providers to boost revenue cycle efficiency, improve real-time analytics, cut costs, and create innovative new services.

Read More

NMGMA: 10 Minute Takeaway

The one constant is change - MGMA Associate Director of Government Affairs recently briefed practice managers on the latest from Washington, D.C.

Read More

M&A Trends & Technology

Even in an uncertain landscape, healthcare deals are getting done ... but buyers and sellers are becoming more discriminate.

Read More

THA Launches Data Sharing Initiative for TennCare Patients

New data sharing software is expected to improve communication, decrease emergency visits for TennCare patients

Read More

TOA Update

The state's largest orthopaedic surgery group continues to expand its offerings.

Read More

Innovation in Orthopaedics

Lorio's living hinge cages expected to change the future of spinal surgery.

Read More

The M&A Perspective

There's more to joining forces than signing on the dotted line. Jeff Seraphine, LifePoint Health's M&A chief, shares his insights on making what looks good on paper work in practice, as well.

Read More

Email Print
 
 

 

 


Tags:
Compliance, Cybersecurity, Gina Pruitt, Healthcare Privacy and Security, HIPAA, HITECH, HITRUST, KraftCPAs, PHI, Protected Health Information
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: