ControlCase is a global provider of IT Certification and Continuous Compliance services.
ControlCase is an accredited HITRUST assessor certified by the HITRUST Alliance.
Cut Time and Costs for HIPAA Compliance
Simplify and Automate the HITRUST, HIPAA Compliance Process
BEGIN YOUR HITRUST, HIPAA Compliance JOURNEY NOW!
Our offerings enable clients to effectively manage their IT Governance, Risk Management and Compliance Management efforts
1
Receive PCI, ISO 27001, SOC-2, HITRUST and HIPAA as part of your compliance process
2
Partnership approach
3
Our technology empowers on-time, seamless and continuous compliance
Contact us today!
USA
+1.703.483.6383
CANADA
+1.416.900.1272
UK / EUROPE
+44.734.120.5513
INDIA / GULF REGION
+91.22.50323006
ASIA PACIFIC
+66.21056164
FREQUENTLY ASKED QUESTIONS
1
What does HIPAA stand for?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996.
2
What is HIPAA Law?
HIPAA is a federal law that details national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
3
What is HIPAA Privacy Rule?
The HIPAA Privacy Rule addresses the use and disclosure of individuals’ health information (known as “protected health information” or “PHI”) by entities subject to the Privacy Rule (known as “covered entities”).
4
What is PHI?
PHI stands for Personal Health Information. It refers to health information that can be tied to an individual.
5
• Healthcare providers -Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions.
• Health plans - Entities that provide medical care or pay the cost of medical care.
• Healthcare clearinghouses - Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
• Business associates - person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
Who does HIPAA apply to?
HIPAA covered entities includes:• Healthcare providers -Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions.
• Health plans - Entities that provide medical care or pay the cost of medical care.
• Healthcare clearinghouses - Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.
• Business associates - person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
6
• Specifically extends security, privacy and breach notification requirements to Business Associates (BA)
• Establishes mandatory penalties for ‘willful neglect’
• Imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI
• Institutes third party management and monitoring as ‘due diligences and ‘due care’ provisions
• Establishes the right for patients to obtain their PHI in an electronic format (i.e. ePHI)
What is HITECH?
HITECH stands for Health Information Technology for Economic and Clinical Health Act. HITECH:• Specifically extends security, privacy and breach notification requirements to Business Associates (BA)
• Establishes mandatory penalties for ‘willful neglect’
• Imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI
• Institutes third party management and monitoring as ‘due diligences and ‘due care’ provisions
• Establishes the right for patients to obtain their PHI in an electronic format (i.e. ePHI)
7
• Security Rule - Includes Administrative, Technical and Physical safeguards for protecting PHI.
• Breach Notification – in case of a breach, ensures covered entities and business associates notify affected parties within the time periods specified or face penalties.
• Business Associate & Subcontractors - Must comply directly with the HIPAA Regulation as well as identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective covered entities.
What are the HIPAA Requirements?
• Privacy Rule - Requires appropriate safeguards to protect the privacy of personal health information.• Security Rule - Includes Administrative, Technical and Physical safeguards for protecting PHI.
• Breach Notification – in case of a breach, ensures covered entities and business associates notify affected parties within the time periods specified or face penalties.
• Business Associate & Subcontractors - Must comply directly with the HIPAA Regulation as well as identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective covered entities.
8
• Finalization of interim rules outlined in the HITECH act
• Formalizes enforcement provisions for breaches
• Expands definition of BA to include subcontractors of BA (BA of BA)
• Clarifies that HHS will determine the actual maximum for penalties
• Covered Entities (CE) and BA are liable for the acts of BA and their subcontractors
• Requires an on-going monitoring process for the organization’s security programs and processes
What is the OMNIBUS Rule?
The Omni-bus rule is:• Finalization of interim rules outlined in the HITECH act
• Formalizes enforcement provisions for breaches
• Expands definition of BA to include subcontractors of BA (BA of BA)
• Clarifies that HHS will determine the actual maximum for penalties
• Covered Entities (CE) and BA are liable for the acts of BA and their subcontractors
• Requires an on-going monitoring process for the organization’s security programs and processes
9
HIPAA vs HITECH
Both HIPAA and HITECH are equally important. Covered Entities and Business Associates must comply with both Acts if they create, use, transmit or store Protected Health Information.
10
What does HIPAA protect?
HIPAA protects sensitive patient health information from being disclosed without the patient’s consent or knowledge.
11
Who enforces HIPAA?
The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR).
12
What is considered a breach of HIPAA?
A HIPAA violation is when a HIPAA covered entity or a business associate fails to comply with one or more of the provisions of the HIPAA Privacy, Security or Breach Notification Rules
13
The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
• Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
What are the consequences of violating HIPAA?
Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.
• Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
14
• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation
What is the HIPAA violation penalty structure?
The HIPAA violation penalty structure is:• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation