1. No category

HIPAA UPDATE - Idaho Health Care Association

HIPAA UPDATE:
WHY AND HOW YOU MUST COMPLY1
In January 2013, the Department of Health and Human Services (“HHS”) issued its long-awaited
Omnibus Rule2 implementing regulations required by the HITECH Act 3 and significantly expanding
HIPAA4 requirements and penalties associated with the misuse or improper disclosure of protected health
information (“PHI”). Among other things, the Omnibus Rule extends HIPAA to business associates5 of
covered entities and raised the stakes on regulatory compliance. This memorandum outlines key actions
that covered entities and business associates should take to help ensure their compliance and avoid
HIPAA penalties.
WHY YOU NEED TO COMPLY.
1.
Civil Penalties Are Mandatory for Willful Neglect. HITECH increased the penalties for
HIPAA violations 500 times their prior limits. The Office for Civil Rights (“OCR”) is required to impose
HIPAA penalties if the covered entity or business associate acted with willful neglect, i.e., with “conscious,
intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements. 6 The
following chart summarizes the tiered penalty structure 7:
Conduct of covered entity or business associate
Penalty
Did not know and, by exercising reasonable diligence,
would not have known of the violation
$100 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to reasonable cause and not willful neglect $1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect but the violation is
corrected within 30 days after the covered entity knew
or should have known of the violation
Mandatory fine of $10,000 to $50,000 per
violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect and the violation was not
corrected within 30 days after the covered entity knew
or should have known of the violation
Mandatory fine of not less than $50,000 per
violation;
Up to $1,500,000 per identical violation per year
A single action may result in multiple violations. According to HHS, the loss of a laptop containing
records of 500 individuals may constitute 500 violations.8 Similarly, if the violation were based on the
failure to implement a required policy or safeguard, each day the entity failed to have the required policy
or safeguard in place constitutes a separate violation. 9 Not surprisingly, penalties can add up quickly.
1
This outline provides a summary of some of the relevant compliance issues and requirements. It is provided for educational
purposes only. Readers should review the applicable laws and regulations and consult their own counsel when responding to
compliance concerns.
2
78 F.R. 5566 (1/25/13).
3
Health Information Technology for Economic and Clinical Health Act of 2009.
4
Health Insurance Portability and Accountability Act of 1996.
5
Under HIPAA, “business associates” are generally defined as those entities outside of the covered entity’s workforce who create,
receive, maintain or transmit protected health information (“PHI”) on behalf of a covered entity to perform a function regulated by
HIPAA or certain other enumerated functions, including claims processing; data analysis; utilization review; quality assurance;
individual safety activities; billing; benefit management; practice management; legal, actuarial, accounting, consulting, data
aggregation, management, administrative, accreditation or financial services; data transmission services if routine access to data
is required; and subcontractors of business associates. 45 CFR § 160.103.
6
45 CFR § 160.401 and 164.404.
7
45 CFR § 160.404.
8
See 78 FR 5584 (1/25/13).
9
45 CFR §160.406; 78 F.R. 5584 (1/25/13).
HIPAA UPDATE - 1
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
And the government is serious about the new penalties: the OCR has imposed millions of dollars in
penalties or settlements since the mandatory penalties took effect.10 State attorneys general may also
sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys’ fees.11 Future
regulations will allow affected individuals to recover a portion of any settlement or penalties arising from a
HIPAA violation, thereby increasing individuals’ incentive to report HIPAA violations. 12
The good news is that if the covered entity or business associate does not act with willful neglect,
the OCR may waive or reduce the penalties, depending on the circumstances. 13 More importantly, if the
covered entity or business associate does not act with willful neglect and corrects the violation within 30
days, the OCR may not impose any penalty; timely correction is an affirmative defense. 14 Whether
covered entities or business associates implemented required policies and safeguards is an important
consideration in determining whether they acted with willful neglect. 15
2.
HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly
obtaining or disclosing PHI from a covered entity without authorization; violations may result in the
following criminal penalties16:
Prohibited Conduct
Penalty
Knowingly obtaining or disclosing PHI without
authorization.
Up to $50,000 fine and one year in prison
If done under false pretenses.
Up to $100,000 fine and five years in prison
If done with intent to sell, transfer, or use the PHI for
commercial advantage, personal gain or malicious
harm.
Up to $250,000 fine and ten years in prison
Physicians, hospital staff members, and others have been prosecuted for improperly accessing,
using or disclosing PHI.
3.
Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by
the fact that covered entities must self-report HIPAA breaches of unsecured PHI to the affected individual,
HHS, and, in certain cases, to the media.17 Business associates must report such breaches to the
covered entity so the covered entity may give the required notice.18 The Omnibus Rule modified the
Breach Notification Rule to eliminate the former harm analysis; now a breach of PHI is presumed to be
reportable unless the covered entity or business associate can demonstrate a low probability that the data
has been compromised through an assessment of specified risk factors.19 Reporting a HIPAA violation is
bad enough given the costs of notice, responding to government investigations, and potential penalties,
but the consequences for failure to report a known breach are likely worse: if discovered, such a failure
The OCR’s website contains data summarizing HIPAA enforcement activities,
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.
11
42 USC § 1320d-5(d); see also OCR training for state attorneys general at
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html.
12
See 78 FR 5568 (1/25/13).
13
45 CFR § 160.308(a)(2) and 160.408.
14
45 CFR § 160.410.
15
See Press Releases of various cases reported at http://www.hhs.gov/ocr/office/index.html.
16
42 USC § 1320d-6.
17
45 CFR § 164.400 et seq.
18
45 CFR § 164.410.
19
45 CFR § 164.402; 78 FR 5641 (1/25/13).
10
HIPAA UPDATE - 2
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
would likely constitute willful neglect, thereby subjecting the covered entity or business associate to the
mandatory civil penalties.20
Given the increased penalties, lowered breach notification standards, and expanded
enforcement, it is more important than ever for entities to comply or, at the very least, document good
faith efforts to comply, to avoid a charge of willful neglect, mandatory penalties, and civil lawsuits.
WHAT COVERED ENTITIES SHOULD DO TO COMPLY.
Covered entities are health plans (including employee group plans that have 50 or more
participants or that are administered by a third party; health care clearinghouses; and health care
providers who engage in certain electronic transactions.21 The following are key compliance actions that
covered entities should take.
1.
Assign HIPAA responsibility. Covered entities must designate persons to serve as their
HIPAA privacy and security officers, and document the designation in writing. 22 The privacy and security
officers are responsible for ensuring HIPAA compliance. To that end, they should be thoroughly familiar
with the requirements of the HIPAA Privacy23, Security24, and Breach Notification Rules.25 The OCR
maintains a very helpful website to assist covered entities and business associates in complying with the
rules, http://www.hhs.gov/ocr/privacy/.
2.
Know the use and disclosure rules. The basic privacy rules are relatively simple:
covered entities may not use, access or disclose PHI without the individual’s valid, HIPAA-compliant
authorization unless the use or disclosure fits within an exception. 26 Unless they have agreed otherwise,
covered entities may use or disclose PHI for purposes of treatment, payment or certain health care
operations without the individual’s consent. 27 In addition, covered entities may use or disclose PHI for
certain purposes so long as the individual has not objected, including use of certain PHI for facility
directories, or disclosure of PHI to family members or others involved in the individual’s care or payment
for their care so long as such disclosure is in the individuals’ best interests. 28 HIPAA contains numerous
exceptions that allow disclosures of PHI to the extent another law requires disclosures or for certain
public safety and government functions, including reporting of abuse and neglect; responding to
government investigations; or disclosures to avoid a serious and imminent threat to the individual. 29 Even
though HIPAA would allow a disclosure, the covered entity and business associate generally cannot
disclose more than is minimally necessary for the intended purpose. 30 Covered entities and business
associates generally must take reasonable steps to verify the identity of the person to whom the
disclosure may be made.31 The OCR has published a helpful summary of the Privacy Rule at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf, although the
summary has not been updated to reflect changes in the Omnibus Rule.
3.
Know individuals’ rights. HIPAA grants individuals certain rights concerning their PHI.
Among others, individuals generally have a right to request limitations on otherwise permissible
disclosures for treatment, payment and healthcare operations 32; request confidential communications at
20
75 FR 40879 (7/14/10).
45 CFR § 160.103.
22
45 CFR §§ 164.308(a)(2) and 164.530(a).
23
45 CFR part 164, subpart E (§§ 164.500-164.534).
24
45 CFR part 164, subpart C (§§ 164.302-164.318).
25
45 CFR §164.502, Subpart D (§§ 164.400-414).
26
45 CFR §164.502
27
45 CFR §§164.506 and 164.522(a).
28
See 45 CFR § 164.510.
29
45 CFR § 164.512.
30
45 CFR §§ 164.502(b) and 164.514(d).
31
45 CFR § 164.514(h).
32
45 CFR § 164.522(a).
21
HIPAA UPDATE - 3
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
alternative locations or by alternative means33; access or obtain copies of their PHI, including e-PHI34;
request amendments to their PHI35; and obtain an accounting of impermissible and certain other
disclosures of PHI.36 Covered entities and business associates must know and allow individuals to
exercise their rights. One health system was fined $4.3 million for, among other things, failing to timely
respond to individual requests to access their PHI. 37
4.
Implement and maintain written policies. HIPAA requires covered entities to develop
and maintain written policies that implement the Privacy, Security, and Breach Notification Rule
requirements.38 According to HHS, maintaining the required written policies is a significant factor in
avoiding penalties imposed for “willful neglect.” 39 Rite Aid paid $1,000,000 to settle HIPAA violations
based in part on its failure to maintain required HIPAA policies. 40 A list of required and recommended
privacy and breach notification polices is attached as Appendix 1; a list of required security policies is
attached as Appendix 2. If they have not done so, covered entities should update their privacy and
breach notification policies to comply with the new Omnibus Rule provisions described below.
a.
Deceased persons. Covered entities may now disclose PHI to family members
or others who were involved in the decedent’s health care or payment for their care prior to the
decedent’s death so long as the disclosure is relevant to the person’s involvement and is not inconsistent
with the decedent’s prior expressed preferences.41
b.
Individual access to e-PHI. If an individual requests an electronic copy of their
PHI, covered entities must generally produce it in the form requested if readily producible. 42 If the
individual directs the covered entity in writing to transmit a copy of their e-PHI to another individual, the
covered entity must generally comply.43
c.
Time for responding to request to access. Covered entities must generally
respond to an individual’s request to access their PHI within 30 days; the Omnibus Rule eliminated the
provision that gave covered entities extra time to respond if records were maintained offsite. 44
d.
Limits on disclosures to insurers. Covered entities may not disclose PHI about
an individual’s episode of care to a health insurer if (i) the insurer seeks the PHI for treatment or payment
purposes; (ii) the individual or someone on the individual’s behalf paid for the care to which the PHI
pertains; and (iii) the individual requests that the PHI be withheld from the insurer. 45 This new rule will
require covered entities to develop new and problematic processes for flagging and isolating such data
from health insurer requests; fortunately, however, the requirement is only triggered if the individual
requests such limitations, which should rarely occur. HHS’s commentary to the Omnibus Rule is
particularly helpful in understanding the limits of this new requirement. 46
e.
School immunizations. Covered entities may now disclose PHI about
immunizations to a school if (i) state law requires such PHI for school enrollment; and (ii) the individual or
their personal representative consents to the disclosure. The consent may be oral. 47
33
45 CFR § 164.522(b).
45 CFR § 164.524.
35
45 CFR § 164.526.
36
45 CFR § 164.528.
37
See Press Release at http://www.hhs.gov/news/press/2011pres/02/20110222a.html.
38
45 CFR §§ 164.316(a), 164.404(a), and 164.530(f).
39
See 75 FR 48078-79.
40
See Press Release at http://www.hhs.gov/news/press/2010pres/07/20100727a.html.
41
45 CFR § 164.510(b)(5).
42
45 CFR § 164.524(c)(2).
43
45 CFR § 164.524(c)(3).
44
45 CFR § 164.524.
45
45 CFR § 164.522(a)(1).
46
78 FR 5626-5630 (1/25/13).
47
45 CFR § 164.512(b)(1).
34
HIPAA UPDATE - 4
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
f.
Sale of PHI. Covered entities must obtain written authorization to sell an
individual’s PHI, and the authorization must disclose that the sale will result in remuneration to the
covered entity.48
g.
Marketing. Covered entities must obtain written authorization to use the
individual’s PHI for marketing purposes, including most non-face-to-face communications for treatment
purposes if the covered entity receives financial remuneration to make the communication. 49 If
remuneration is involved, the marketing authorization must disclose that fact. 50
h.
Fundraising. The Omnibus Rule allows covered entities to disclose more PHI to
institutionally related foundations to assist with fundraising, but fundraising communications must explain
how the recipient may opt out of receiving such communications and the opt out method may not be
burdensome.51
i.
Research. If the covered entity engages in research, it should review new
standards applicable to research as described in 45 CFR § 164.508(b).
j.
Breach notification. The Omnibus Rule modified the standard for reporting
breaches of unsecured PHI. Under the new standard, the unauthorized acquisition, access, use or
disclosure of PHI in violation of the Privacy Rule is presumed to be a reportable breach unless (i) the
covered entity or business associate demonstrates there is a low probability that the PHI has been
compromised based on a risk assessment of certain factors, or (ii) the breach fits within certain
exceptions.52 Covered entities must ensure that their policies incorporate and that they apply this new,
arguably lower standard. Given the lower standard, covered entities and business associates may want to
consider “securing” e-PHI by encryption to the extent possible to avoid reportable breaches.
5.
Develop compliant forms. HIPAA requires that certain documents used by covered
entities satisfy regulatory requirements as described below. Covered entities should ensure that their
HIPAA forms comply, although the OCR has suggested that technical non-compliance would likely not
constitute willful neglect.53 Appendix 1 includes a list of recommended forms.
a.
Authorizations. HIPAA authorizations to use or disclose PHI must contain
certain elements and required statements to be valid.54 The Omnibus Rule added a requirement that the
authorization disclose that the covered entity receives remuneration if the covered entity seeks the
authorization to sell PHI.55
b.
Notice of privacy practices. Covered entities must provide individuals with a
notice of privacy practices that describes how the entity will use the individual’s PHI and contains certain
required statements.56 In addition to the items required by the prior rules, the Omnibus Rule requires
covered entities to update their notices to also include the following: (i) a description of the types of PHI
that require an authorization, i.e., psychotherapy notes, marketing, and sale of PHI; (ii) a statement that
other uses or disclosures not described in the notice will require an authorization; (iii) a statement that the
recipient of fundraising materials may opt out; (iv) a description of the individual’s right to limit disclosures
to insurers if the individual paid for the relevant care; and (v) a statement that the covered entity must
notify the individual of a breach of unsecured PHI. 57 In addition to updating their own notices, covered
48
45 CFR §§ 164.502(a)(5) and 164.508(a)(4).
45 CFR §§ 164.501 and 164.508(c).
50
45 CFR § 154.508(c).
51
45 CFR § 164.512(f).
52
45 CFR § 164.402.
53
75 FR 40878 (7/14/10)
54
45 CFR § 164.508(c).
55
45 CFR § 164.508(a)(4).
56
45 CFR § 164.520.
57
45 CFR § 164.520(b)(1)
49
HIPAA UPDATE - 5
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
entities relying on joint notices should ensure the joint notices have been updated. 58 The OCR has
recently published model privacy notices on its website,
http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html, although most covered entities would likely
prefer to use their own forms.
c.
Other forms. Although not required, covered entities may develop other forms
to ensure compliance with individual rights, such as individual requests to access PHI, amend records, or
obtain an accounting of disclosures. Appendix 1 contains a list of recommended forms.
6.
Execute appropriate business associate agreements. Although HIPAA now applies
directly to business associates, HIPAA still requires covered entities to execute “business associate
agreements” with their business associates before disclosing PHI to the business associate.59 Business
associates are generally those outside entities who create, receive, maintain, or transmit PHI on behalf of
the covered entity.60 The Omnibus Rule expanded the definition of “business associates” to include data
storage companies, entities that provide data transmission services if they require routine access to PHI,
and subcontractors of business associates. 61 If they have not done so recently, covered entities should
immediately identify their business associates and ensure appropriate agreements are executed with
them.
Business associate agreements must contain certain elements, including (i) a description of
permissible uses or disclosures of PHI; (ii) requirements to help the covered entity respond to individual
rights; and (iii) certain termination provisions. 62 In addition to previous requirements, the Omnibus Rule
now requires the business associate to: (i) comply with the security rule63; (ii) execute business associate
agreements with their subcontractors 64; (iii) if the business associate carries out an obligation of a
covered entity, comply with any HIPAA rule applicable to such obligation 65; and (iv) report breaches of
unsecured PHI to the covered entity.66 Covered entities should ensure their business associate
agreements contain the Omnibus Rule terms. Covered entities have until September 22, 2014 to modify
business associate agreements if (i) the agreement they had in place on January 25, 2013 complied with
the HIPAA rules as of that date, and (ii) the agreement does not expire or renew (other than through
evergreen clauses) prior to September 22, 2014.67
Breach of the business associate agreement exposes the business associate to contract claims
by the covered entity in addition to HIPAA penalties. Covered entities are generally not liable for the
actions of their business associates unless the covered entity knows of a pattern of activity or practice of
the business associate that constitutes a material violation of the business associate’s obligation and fails
to act to cure the breach or end the violation, 68 or the business associate is acting as the agent of the
covered entity.69 To avoid liability, covered entities should ensure that business associates are acting as
independent contractors, not agents of the covered entity. 70
7.
Perform and document a risk analysis. The HIPAA Security Rule applies to PHI
maintained in electronic form, e.g., data on computers, mobile devices, USBs, etc.71 Covered entities and
business associates must conduct and document a risk analysis of their computer and other information
58
See 45 CFR § 164.520(d).
45 CFR §§ 164.308(b) and 164.502(e).
60
45 CFR § 160.103.
61
45 CFR § 160.103.
62
45 CFR § 164.504(e).
63
45 CFR § 164.314(a)(2).
64
45 CFR §§ 164.314(a)(2).
65
45 CFR § 164.504(e)(2)(ii)(H).
66
45 CFR §§ 164.314(a)(2)(i)(C).
67
45 CFR § 164.532(e).
68
45 CFR § 164.504(e)(1).
69
45 CFR § 160.402(c).
70
78 FR 5581.
71
45 CFR § 164.103.
59
HIPAA UPDATE - 6
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
systems to identify potential security risks and respond accordingly. 72 The OCR has published guidance
for the risk analysis at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. Covered entities
and business associates should periodically review and update their risk analysis. A Massachusetts
dermatology practice recently agreed to pay $150,000 for, among other things, failing to conduct an
adequate risk assessment of its systems, including the use of USBs.73
8.
Implement required safeguards. HHS recognizes that individual privacy cannot be
absolutely protected; accordingly, HIPAA does not impose liability for “incidental disclosures” so long as
the covered entity implemented reasonable administrative, technical and physical safeguards designed to
protect against improper disclosures.74 The Security Rule contains detailed regulations specifying
safeguards that must be implemented to protect e-PHI.75 Appendix 2 contains a checklist of required
security safeguards. The Privacy Rule is less specific; it simply requires that covered entities implement
reasonable safeguards.76 The reasonableness of the safeguards depends on the circumstances, but may
include, e.g., not leaving PHI where it may be lost or improperly accessed; checking e-mail addresses
and fax numbers before sending messages; using fax cover sheets; etc.
9.
Train workforce. Having the required safeguards, policies and forms is important, but
covered entities and business associates must also train their workforce members to comply with the
policies and document such training.77 HIPAA requires that new employees are trained within a
reasonable period of time after hire, and as needed thereafter. 78 According to HHS commentary, covered
entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered
entity implemented appropriate policies and adequately trained the employee. 79 If they have not done so,
covered entities should train staff and other workforce members concerning the new Omnibus Rule
requirements as discussed above.
10.
Respond immediately to any violation or breach. This is critical for several reasons.
First, HIPAA requires covered entities and business associates to investigate any privacy complaints,
mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. 80 It may
also require covered entities to terminate an agreement with a business associate due to the business
associate’s noncompliance.81 Second, prompt action may minimize or negate the risk that the data has
been compromised, thereby allowing the covered entity or business associate to avoid self-reporting
breaches to the individual or HHS.82 Third, a covered entity or business associate can avoid HIPAA
penalties altogether if it does not act with willful neglect and corrects the violation within 30 days. 83
11.
Timely report breaches. If a reportable breach of unsecured PHI occurs, business
associates must promptly report the breach to covered entities,84 and covered entities must notify the
individual within 60 days.85 If the breach involves less than 500 persons, the covered entity must notify
HHS by filing an electronic report no later than 60 days after the end of the calendar year. 86 If the breach
involves 500 or more persons, the covered entity must file the electronic report when it notifies the
72
45 CFR § 164.308(a)(1).
See Press Release at http://www.hhs.gov/news/press/2013pres/12/20131226a.html.
74
45 CFR § 164.502(a)(1); see Guidance at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html.
75
45 CFR §§ 164.308 to 164.316 and Appendix A to 45 CFR part 164, subpart C.
76
45 CFR § 164.530(c).
77
45 CFR § 164.530(b); see also 45 CFR §§ 164.308(a)(5) and 164.414(a).
78
45 CFR § 164.530(b).
79
75 FR 40879.
80
45 CFR § 164.530(d)-(f).
81
45 CFR §§164.314(a)(2) and 164.504(e)(2).
82
45 CFR § 164.402.
83
45 CFR § 160.410.
84
45 CFR § 164.410.
85
45 CFR § 164.404.
86
45 CFR § 164.408(c).
73
HIPAA UPDATE - 7
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
individual.87 If the breach involves more than 500 persons in a state, the covered entity must notify local
media.88 The written notice to the individual must satisfy regulatory requirements concerning the manner
and content of the notice.89
12.
Document actions. Documenting proper actions will help covered entities defend
against HIPAA claims. Covered entities and business associates are required to maintain documentation
required by HIPAA for six years from the date that the document was last in effect. 90
WHAT BUSINESS ASSOCIATES SHOULD DO TO COMPLY.
Effective September 23, 2013, the OCR may impose penalties directly against business
associates of covered entities for failing to comply with HIPAA requirements. In addition, business
associates may be liable to covered entities if they breach their business associate agreement. The
following outline summarizes what business associates should do to minimize their potential liability under
HIPAA.
1.
Determine whether business associate rules apply. Out of ignorance or an
abundance of caution, covered entities may ask some entities to sign business associate agreements
even though the entity is not a “business associate” as defined by HIPAA. Entities should avoid
assuming business associate liabilities or entering business associate agreements if they are not truly
business associates. Significantly, the following are not business associates: (i) entities that do not
create, maintain, use or disclose PHI in performing services on behalf of the covered entity; (ii) members
of the covered entity’s workforce; (iii) other healthcare providers when providing treatment; (iv) members
of an organized healthcare arrangement; (v) entities who use PHI while performing services on their own
behalf, not on behalf of the covered entity; and (vi) entities that are mere conduits of the PHI. 91
2.
Execute and comply with valid business associate agreements. Entities that are
business associates must execute and perform according to written business associate agreements that
essentially require the business associate to maintain the privacy of PHI; limit the business associate’s
use or disclosure of PHI to those purposes authorized by the covered entity; and assist covered entities in
responding to individual requests concerning their PHI. 92 The OCR has published sample business
associate agreement language on its website,
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
Covered entities may sometimes add terms or impose obligations in business associate
agreements that are not required by HIPAA. Business associates should review business associate
agreements carefully to ensure they do not unwittingly assume unintended obligations, such as
indemnification provisions or requirements to carry insurance. Conversely, business associates may
want to add terms to limit their liability, such as liability caps, mutual indemnification, etc.
3.
Execute valid subcontractor agreements. If the business associate uses
subcontractors or other entities to provide any services for the covered entity involving PHI, the business
associate must execute business associate agreements with the subcontractors, which agreements must
contain terms required by the regulations. 93 The subcontractor becomes a business associate subject to
HIPAA.94 The subcontractor agreement cannot authorize the subcontractor to do anything that the
business associate could not do under the original business associate agreement with the covered
entity.95 Thus, business associate obligations are passed downstream to subcontractors. 96 As with
87
45 CFR § 164.408(b).
45 CFR § 164.406.
89
45 CFR § 164.404(c)-(d).
90
45 CFR §§ 164.316(b), 164.414(a), and 164.530(j).
91
45 CFR § 160.103; 78 FR 5571 (1/25/13).
92
45 CFR 164.504(e).
93
45 CFR §§ 164.314(a)(2) and 164.504(e)(1).
94
45 CFR 160.103.
95
45 CFR §§164.314(a)(2) and 164.504(e)(5).
88
HIPAA UPDATE - 8
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
covered entities, business associates are not liable for the business associate’s HIPAA violations unless
the business associate was aware of a pattern or practice of violations and failed to act, 97 or the
subcontractor is the agent of the business associate. 98 To be safe, business associates should confirm
that their subcontractors are independent contractors.
4.
Comply with privacy rules. Most of the Privacy Rule provisions do not apply directly to
business associates,99 but because business associates cannot use or disclose PHI in a manner contrary
to the limits placed on covered entities, 100 business associates will likely need to implement many of the
same policies and safeguards that the Privacy Rule mandates for covered entities, including rules
governing uses and disclosure of PHI and individual rights concerning their PHI. Those are typically
outlined in the business associate’s agreement with the covered entity. 101 Business associates should
generally be aware of the Privacy Rule requirements along with any additional limitations or restrictions
that the covered entity may have imposed on itself through its notice of privacy practices or agreements
with individuals. Among other things, business associates must generally limit their requests for or use or
disclosure of PHI to the minimum necessary for the intended purpose. 102
5.
Perform a Security Rule risk analysis. Unlike the Privacy Rule, business associates
are directly obligated to comply with the Security Rule.103 Thus, like covered entities, business associates
must conduct and document an appropriate risk analysis as described above. 104
6.
Implement Security Rule safeguards. Also like covered entities, business associates
must implement the specific administrative, technical and physical safeguards required by the Security
Rule as described above.105 Appendix 2 contains a list of Security Rule requirements.
7.
Adopt written Security Rule policies. As with covered entities, business associates
must adopt and maintain the written policies required by the Security Rule 106 as described in Appendix 2.
8.
Train personnel. Unlike covered entities, the Privacy and Breach Notification Rules do
not affirmatively require business associates to train their workforce members, but the Security Rule
does.107 As a practical matter, business associates will need to train their workforce concerning the
HIPAA rules to comply with the business associate agreement and HIPAA regulations. Documenting
such training may prevent HIPAA violations and/or avoid allegations of willful neglect if a violation occurs.
9.
Respond immediately to any violation or breach. The Privacy Rule does not impose
any specific requirement on business associates to mitigate violations, but many business associate
agreements do. Even if not required by rule or contract, business associates will want to respond
immediately to any real or potential violation to mitigate any unauthorized access to PHI and reduce the
potential for HIPAA penalties. Remember: timely action to correct a violation within 30 days is a key to
avoiding or reducing HIPAA penalties.108
10.
Timely report security incidents and breaches. Business associates must notify the
covered entity of certain threats to PHI. First, business associates must report breaches of unsecured
protected PHI to the covered entity so the covered entity may report the breach to the individual and
96
78 FR 5573 (1/25/13).
45 CFR § 164.504(e)(1).
98
45 CFR § 160.402(c).
99
78 FR 5591 (1/25/13).
100
45 CFR § 164.504(e)(2); 78 FR 5591 (1/25/13).
101
See 45 CFR § 164.502(e).
102
45 CFR § 164.502(b)(1).
103
45 CFR § 164.314(a)(2).
104
45 CFR § 164.308(a)(1).
105
45 CFR §§ 164.306(a), 164.308(a), 164.310, and 164.312.
106
45 CFR § 164.316.
107
45 CFR §§ 164.308(a)(5)
108
45 CFR §§ 160.410.
97
HIPAA UPDATE - 9
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
HHS.109 Second, the business associate must report uses or disclosures that violate the business
associate agreement with the covered entity, which would presumably include uses or disclosures in
violation of HIPAA even if not reportable under the breach notification rules. 110 Third, business associates
must report “security incidents”, which is defined to include the “attempted or successful unauthorized
access, use, disclosure, modification, or destruction of PHI or interference with system operations in a
PHI system.”111
11.
Maintain Required Documentation. Business associates must maintain the documents
required by the Security Rule for six years from the document’s last effective date.112 Although not
required, documenting other acts in furtherance of compliance may help negate any allegation of willful
neglect.
BEWARE MORE STRINGENT LAWS.
In evaluating their compliance, covered entities and business associates must also consider other
federal or state privacy laws. To the extent a state or other federal law is more stringent than HIPAA,
covered entities and business associates should comply with the more restrictive law, including conditions
of participation or licensing regulations that may apply to certain facilities. 113 In general, a law is more
stringent than HIPAA if it offers greater privacy protection to individuals, or grants individuals greater
rights regarding their PHI.114
CONCLUSION.
Like covered entities, business associates must now comply with HIPAA or face draconian
penalties. As many businesses have recently learned, even seemingly minor or isolated security lapses
may result in major fines and business costs. Fortunately, however, covered entities and business
associates may avoid mandatory fines and minimize their HIPAA exposure by taking and documenting
the steps outlined above. Accordingly, in addition to updating their policies and practices to comply with
new Omnibus Rule requirements discussed above, covered entities should use this outline to evaluate
and, where needed, upgrade their overall HIPAA compliance.
109
45 CFR § 164.410.
45 CFR § 164.504(e)(2).
111
45 CFR § 164.304.
112
45 CFR § 164.316(a)(2).
113
45 CFR § 160.203.
114
45 CFR § 160.202.
110
HIPAA UPDATE - 10
Copyright © 2015, Holland & Hart LLP
6721404_2.docx
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
APPENDIX 1
HIPAA PRIVACY CHECKLIST
The following summarizes required and recommended privacy policies and forms per the HIPAA Privacy
Rule. Additional policies are required by the HIPAA Security Rule. Covered entities and business
associates should ensure that they have required policies in place to minimize or avoid penalties under
the HIPAA regulations. The citations are to 45 CFR Part 164. For additional resources concerning
Privacy Rule requirements and compliance assistance, see the Office of Civil Rights privacy website,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html. The Privacy Rule is subject to
periodic amendment. Users should review the current rule requirements to ensure continued compliance.
Policies
HIPAA Privacy Rule
Reference
Policy
Status
(Complete, N/A)
Use and Disclosure: General Rules
164.506
164.510
164.512
164.508
Consent is implied for treatment, payment and health care
operations; no written authorization is required except for
psychotherapy notes.
Providing notice and chance for patient to agree or object
is sufficient for certain disclosures, including disclosures
to family members or others involved in the patient’s care;
for facility directories; and to provide notice in emergency
situations.
Certain disclosures may be made per regulatory
exceptions subject to specific conditions, e.g., uses or
disclosures required by law; to avert a serious and
imminent health; for public health activities; in response to
a court order or subpoena; to law enforcement, etc.
Authorizations are generally required for all other uses or
disclosures, including uses or disclosures of
psychotherapy notes; for most marketing activities; sale of
protected health information; etc. Include the elements
for a valid authorization.
Use and Disclosure: Special Rules
164.514(f)
164.512(i)
164.502(f)
164.502(g)
164.514(h)
Fund raising uses or disclosures generally require
authorization except in limited circumstances.
Research generally requires authorization unless certain
conditions are met.
Privacy protection continues after death for a period of 50
years.
Personal representatives and parents of unemancipated
minors are generally entitled to access information and
exercise other patient rights, subject to certain exceptions.
Covered entities should verify a requesting person’s
identity and authority before disclosing information.
APPENDIX 1
HIPAA PRIVACY CHECKLIST - 1
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
Policies
HIPAA Privacy Rule
Reference
164.502(d);
164.514(e)
164.530(c)
Policy
Status
(Complete, N/A)
Covered entities may “de-identify” information, thereby
avoiding HIPAA restrictions.
Safeguards for facsimiles, e-mails, and telephone
communications may be appropriate. (Not expressly
required by privacy regulations, but may help satisfy
safeguards per 164.530(c))
Minimum Necessary Standard
164.502(b)
164.514(d)
164.514(d)
164.514(d)
164.514(d)
Limit use or disclosure to the minimum necessary to
accomplish the purpose, subject to specified situations.
Define and limit workforce members’ access to protected
information.
Establish protocols for routine disclosures, and processes
for handling others on an individual basis.
Establish protocols for routine requests for information,
and processes for handling others on an individual basis.
Do not request entire record if not necessary.
Patient Rights
164.522(a)
164.522(b)
164.524
164.526
164.528
Right to request additional restrictions on use or
disclosure for treatment, payment or health care
operations; however, the provider is not obligated to
agree to restrictions except in limited situation.
Right to request alternative means or location of
communications, including process for requesting
alternatives and limitations on requests.
Right to access protected health information, including
process for requesting access; time limits and process for
responding; bases for denials; and determination of
reasonable costs.
Right to amend protected health info, including process
for requesting amendments; time limits and process for
responding; bases and process for denials; attaching
amendments or requests; and notifying others about
requests.
Right to request accounting of protected health
information, including process for capturing information for
accounting; process for requesting accounting; time limits
and process for responding; and limitations on requests.
Notice of Privacy Practices
164.520
164.520
Provision and posting of notice.
Good faith efforts to obtain acknowledgment.
Business Associates
164.502(e);
164.504(e)
Process for obtaining business associate contracts; taking
action for violations; and obtaining information from
business associates to comply with provider’s
responsibilities.
APPENDIX 1
HIPAA PRIVACY CHECKLIST - 2
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
Policies
HIPAA Privacy Rule
Reference
Policy
Status
(Complete, N/A)
Notification Requirements for Breaches of Unsecured Protected Health Information
164.402
164.402
164.404
164.408
164.406
164.410
164.412
Identifying when a breach occurs.
Securing protected health information.
Notice to individuals, including timing, content, and
providing substitute notice.
Notice to HHS, including annual and immediate notices to
HHS, timing, and content. The HHS electronic reporting
process may be accessed through the OCR’s HIPAA
website, http://www.hhs.gov/ocr/privacy/.
Notice to the media, including form, timing and content.
Notice by business associates, including timing and
required information.
Delay in notice at request of law enforcement.
Administrative Requirements
164.530(a)
164.530(b)
164.530(c)
164.530(e)
164.530(d)
164.530(f)
160.410
164.530(g)
164.530(h)
164.530(i)
Designation of privacy offer and contact person.
Training existing and new members of the workforce.
Use of technical, administrative, and physical safeguards
to avoid improper or incidental disclosures.
Sanctions against workforce members for violation of
policies and regulations.
Patient complaints, including the process for complaining
and responding to complaints.
Mitigation of improper disclosures.
Correction of any violations within 30 days to avoid
penalties.
No retaliation or intimidation against patients or others
who exercise HIPAA rights.
No conditioning treatment on a waiver of HIPAA rights.
Document retention, including identifying documents that
must be retained and period of retention.
Forms
HIPAA Privacy
Rule Reference
164.520
164.520
164.504(e)
164.514(e)
Form
Status
(Complete, N/A)
Notice of privacy practices.
Acknowledgment of receipt of privacy practices.
Business associate contract.
Data use agreement (if used).
Use and Disclosure Forms
164.508(c)
164.510
164.514(f)
Authorization
Objection to disclosure per 164.510.
Opt-out of fundraising.
Patient Rights Forms
APPENDIX 1
HIPAA PRIVACY CHECKLIST - 3
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
Policies
HIPAA Privacy Rule
Reference
164.522(a)
164.522(b)
164.524;
164.524(d)
164.526
164.526(d)
164.528
164.528(b)
164.528
Policy
Status
(Complete, N/A)
Request for additional restrictions on use or disclosure /
denial of request.
 Notice of denial of request.
Request for alternative means or location for
communication / action on request.
 Notice of denial of request.
Request for access to information / action on request.
 Notice of denial of request.
Request for amendment of information / action on
request.
 Notice of denial of request.
Request for accounting of information / action on request.
 Accounting log.

Notice of denial of request.
Administrative Requirements
164.530(a)
164.530(a)
164.530(b)
164.530(d)
164.530(f)
164.408
Privacy officer designation.
Contact officer designation.
Employee training certification.
Complaint form / action on complaint.
Privacy violation report form / action in response to
incident (including documentation of sanctions).
Log of breaches reportable to HHS on annual basis.
APPENDIX 1
HIPAA PRIVACY CHECKLIST - 4
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
APPENDIX 2
HIPAA SECURITY CHECKLIST
NOTE: The following summarizes HIPAA Security Rule requirements that should be implemented by
covered entities and business associates and addressed in applicable policies. The citations are to
45 CFR § 164.300 et seq. For additional resources concerning Security Rule requirements and
compliance assistance, see the Office of Civil Rights website relating to the Security Rule,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html. The Security Rule is subject
to periodic amendment. Users should review the current rule requirements to ensure continued
compliance.
HIPAA Security
Rule Reference
Safeguard
(R) = Required, (A) = Addressable
Status
(Complete,
N/A)
Administrative Safeguards
164.308(a)(1)(i)
164.308(a)(1)(ii)(A)
164.308(a)(1)(ii)(B)
164.308(a)(1)(ii)(C)
164.308(a)(1)(ii)(D)
164.308(a)(2)
164.308(a)(3)(i)
164.308(a)(3)(ii)(A)
164.308(a)(3)(ii)(B)
164.308(a)(3)(ii)(C)
164.308(a)(4)(i)
Security management process: Implement policies and
procedures to prevent, detect, contain, and correct security
violations.
Has a risk analysis been completed using
IAW NIST Guidelines? (R)
Has the risk management process been completed using IAW
NIST Guidelines? (R)
Do you have formal sanctions against employees who fail to
comply with security policies and procedures? (R)
Have you implemented procedures to regularly review records
of IS activity such as audit logs, access reports, and security
incident tracking? (R)
Assigned security responsibility: Identify the security official
who is responsible for the development and implementation of
the policies and procedures required by this subpart for the
entity.
Workforce security: Implement policies and procedures to
ensure that all members of workforce have appropriate access to
EPHI, as provided under paragraph (a)(4) of this section, and to
prevent those workforce members who do not have access
under paragraph (a)(4) of this section from obtaining access to
electronic protected health information (EPHI).
Have you implemented procedures for the authorization and/or
supervision of employees who work with EPHI or in locations
where it might be accessed? (A)
Have you implemented procedures to determine the access of
an employee to EPHI is appropriate? (A)
Have you implemented procedures for terminating access to
EPHI when an employee leaves your organization or as
required by paragraph (a)(3)(ii)(B) of this section? (A)
Information access management: Implement policies and
procedures for authorizing access to EPHI that are consistent
with the applicable requirements of subpart E of this part.
APPENDIX 2
HIPAA SECURITY CHECKLIST - 1
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
HIPAA Security
Rule Reference
164.308(a)(4)(ii)(A)
164.308(a)(4)(ii)(B)
164.308(a)(4)(ii)(C)
164.308(a)(5)(i)
164.308(a)(5)(ii)(A)
164.308(a)(5)(ii)(B)
164.308(a)(5)(ii(C)
164.308(a)(5)(ii)(D)
164.308(a)(6)(i)
164.308(a)(6)(ii)
164.308(a)(7)(i)
164.308(a)(7)(ii)(A)
164.308(a)(7)(ii)(B)
164.308(a)(7)(ii)(C)
164.308(a)(7)(ii)(D)
164.308(a)(7)(ii)(E)
164.308(a)(8)
Safeguard
(R) = Required, (A) = Addressable
Status
(Complete,
N/A)
If you are a clearinghouse that is part of a larger organization,
have you implemented policies and procedures to protect EPHI
from the larger organization? (A)
Have you implemented policies and procedures for granting
access to EPHI, for example, through access to a workstation,
transaction, program, or process? (A)
Have you implemented policies and procedures that are based
upon your access authorization policies, established, document,
review, and modify a user's right of access to a workstation,
transaction, program, or process? (A)
Security awareness and training: Implement a security
awareness and training program for all members of the
workforce (including management).
Do you provide periodic information security reminders? (A)
Do you have policies and procedures for guarding against,
detecting, and reporting malicious software? (A)
Do you have procedures for monitoring log-in attempts and
reporting discrepancies? (A)
Do you have procedures for creating, changing, and
safeguarding passwords? (A)
Security incident procedures: Implement policies and
procedures to address security incidents.
Do you have procedures to identify and respond to suspected or
known security incidents; to mitigate them to the extent
practicable, measure harmful effects of known security
incidents; and document incidents and their outcomes? (R)
Contingency plan: Establish (and implement as needed) policies
and procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system failure, or
natural disaster) that damages systems that contain EPHI.
Have you established and implemented procedures to create
and maintain retrievable exact copies of EPHI? (R)
Have you established (and implemented as needed) procedures
to restore any loss of EPHI data stored electronically? (R)
Have you established (and implemented as needed) procedures
to enable continuation of critical business processes and for
protection of EPHI while operating in the emergency mode? (R)
Have you implemented procedures for periodic testing and
revision of contingency plans? (A)
Have you assessed the relative criticality of specific
applications and data in support of other contingency plan
components? (A)
Have you established a plan for periodic technical and nontechnical evaluation, based initially upon the standards
implemented under this rule and subsequently, in response to
environmental or operational changes affecting the security of
EPHI, that establishes the extent to which an entity's security
policies and procedures meet the requirements of this subpart?
(R)
APPENDIX 2
HIPAA SECURITY CHECKLIST - 2
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
HIPAA Security
Rule Reference
164.308(b)(1)
164.308(b)(4)
Safeguard
(R) = Required, (A) = Addressable
Status
(Complete,
N/A)
Business associate contracts and other arrangements: A
covered entity, in accordance with Sec. 164.306, may permit a
business associate to create, receive, maintain, or transmit EPHI
on the covered entity's behalf only if the covered entity obtains
satisfactory assurances, in accordance with Sec. 164.314(a) that
the business associate appropriately safeguards the information.
Have you established written contracts or other arrangements
with your trading partners that document satisfactory assurances
required by paragraph (b)(1) of this section that meets the
applicable requirements of Sec. 164.3 1 4(a)? (R)
Physical Safeguards
164.310(a)(1)
164.310(a)(2)(i)
164.310(a)(2)(ii)
164.310(a)(2)(iii)
164.310(a)(2)(iv)
164.310(b)
164.310(c)
164.310(d)(1)
164.310(d)(2)(i)
164.310(d)(2)(ii)
164.310(d)(2)(iii)
164.310(d)(2)(iv)
Facility access controls: Implement policies and procedures to
limit physical access to electronic information systems and the
facility or facilities in which they are housed, while ensuring
properly authorized access is allowed.
Have you established (and implemented as needed) procedures
that allow facility access in support of restoration of lost data
under the disaster recovery plan and emergency mode
operations plan? (A)
Have you implemented policies and procedures to safeguard the
facility and the equipment therein from unauthorized physical
access, tampering, and theft? (A)
Have you implemented procedures to control and validate a
person's access to facilities based on his/her role or function,
including visitor control, and control of access to software
programs for testing and revision? (A)
Have you implemented policies and procedures to document
repairs and modifications to the physical components of a facility
that are related to security (for example, hardware, walls, doors,
and locks)? (A)
Have you implemented policies and procedures that specify the
proper functions to be performed, the manner in which those
functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstation
that can access EPHI? (R)
Have you implemented physical safeguards for all workstations
that access EPHI to restrict access to authorized users? (R)
Device and media controls: Implement policies and procedures
that govern the receipt and removal of hardware and electronic
media that contain EPHI into and out of a facility, and the
movement of these items within the facility.
Have you implemented policies and procedures to address final
disposition of EPHI, and/or hardware or electronic media on
which it is stored? (R)
Have you implemented procedures for removal of EPHI from
electronic media before the media are available for reuse? (R)
Do you maintain a record of the movements of hardware and
electronic media and the person responsible for its movement?
(A)
Do you create a retrievable, exact copy of EPHI, when needed,
before moving equipment? (A)
APPENDIX 2
HIPAA SECURITY CHECKLIST - 3
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com
HIPAA Security
Rule Reference
Safeguard
(R) = Required, (A) = Addressable
Status
(Complete,
N/A)
Technical Safeguards
164.312(a)(1)
164.312(a)(2)(i)
164.312(a)(2)(ii)
164.312(a)(2)(iii)
164.312(a)(2)(iv)
164.312(b)
164.312(c)(1)
164.312(c)(2)
164.312(d)
164.312(e)(1)
164.312(e)(2)(i)
164.312(e)(2)(ii)
Access controls: Implement technical policies and procedures
for electronic information systems that maintain EPHI to allow
access only to those persons or software programs that have
been granted access rights as specified in Sec. 164.308(a)(4).
Have you assigned a unique name and/or number for
identifying and tracking user identity? (R)
Have you established (and implemented as needed) procedures
for obtaining necessary EPHI during an emergency? (R)
Have you implemented procedures that terminate an electronic
session after a predetermined time of inactivity? (A)
Have you implemented a mechanism to encrypt and decrypt
EPHI? (A)
Have you implemented audit controls, hardware, software,
and/or procedural mechanisms that record and examine activity
in information systems that contain or use EPHI? (R)
Integrity: Implement policies and procedures to protect EPHI
from improper alteration or destruction.
Have you implemented electronic mechanisms to corroborate
that EPHI has not been altered or destroyed in an unauthorized
manner? (A)
Have you implemented person or entity authentication
procedures to verify a person or entity seeking access EPHI is
the one claimed? (R)
Transmission security: Implement technical security measures
to guard against unauthorized access to EPHI being transmitted
over an electronic communications network.
Have you implemented security measures to ensure
electronically transmitted EPHI is not improperly modified without
detection until disposed of? (A)
Have you implemented a mechanism to encrypt EPHI whenever
deemed appropriate? (A)
APPENDIX 2
HIPAA SECURITY CHECKLIST - 4
Copyright © 2015, Holland & Hart LLP
Kim C. Stanger
Phone (208) 383-3913
[email protected]
www.hollandhart.com
www.hhhealthlawblog.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz