04-11-19 | References



General Questions

Audits and Compliance

Best Practices

Business Associate

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) which is essentially your medical record.

What is HITECH?

In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability.

What does HIPAA cover?

HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

There are three things that HIPAA requires:

  1. Integrity of information – the medical record must be accurate
  2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
  3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.

Why do these Acts exist?

HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.

HITECH was intended to fund and define sharing rules for Electronic Medical Records (EMR) to further their use in hopes of curtailing growing health care costs.

Who’s the Boss for these rules?

The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.

What are the rules and regulations?

The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:

Paragraph 164.308(a)(1)(i) Standard: Security Management Practices—Implement policies and procedures to prevent, detect, contain, and correct security violations.

We are then required to do precisely what it says—prevent, detect, contain and correct security violations. At Otava, we have such a written policy and in that documented policy we reference this paragraph number. Note that these rules say nothing about how you achieve these objectives—that is what we decide and document in our policies.

What do the rules say Otava must do (and not do)? 

Mostly they say we must:

  • Protect the Availability, Integrity and Confidentiality of PHI
  • Have Business Associates Agreement with clients who have PHI
  • Report any violations of PHI misuse to the OCR (yes, we actually must snitch if we see violations to the statutes).

They do not specify any specific technology platform or design, just that you must secure the data. There are industry best practices that they assume you would use or they would likely consider you negligent.

We do NOT access client data. We never open a file on a client’s server or look in their database. Our backup and restore process takes a file directly from the server and during restore the file is written directly back to the server. Our operations staff does not have access to the file.

Everyone in the company is trained in the policies that support our HIPAA compliance. This training was added to the annual security training we already conduct.

What part of the HIPAA requirements does Otava meet? 164.308? 164.310? or 164.312?

Otava meets all of the HIPAA requirements, including 164.308, 164.310 and 164.312.

What are the penalties?

The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.

This is serious stuff.

The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”. Within each category, there are 2 tiers.

Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.

Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

What does it mean to have a HIPAA Audit?

Otava passed the HIPAA audit with 100% compliance against the latest OCR HIPAA Audit Protocol. Our HIPAA hosting and HIPAA compliant data centers provide physical, logical, network and infrastructure security you need to meet HIPAA standards.

Does a HIPAA audit report require an NDA?

Yes, an NDA (non-disclosure agreement) is required.

What services from Otava help make me compliant?

Neither HIPAA nor HITECH call for specific technical measures to assure data is available, accurate and secure. However, we recommend many of the same procedures and technologies we deploy for ourselves and for which we have had a HIPAA audit to clients who are going to be audited/required to pass a HIPAA audit. This includes:

  • Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access
  • Managed Cloud Server (good for the availability issue)
  • Production: Separate database and web servers
  • Separate test server (can use one for web and DB but not same as production)
  • Offsite Backup at a minimum, IT Disaster Recovery is better
  • SSL certificates and HTTPS for all web-based access to PHI
  • Setup private IP addresses

Does choosing Otava make the client compliant?

No. The client still has to go through an audit to check their own processes and procedures.

We sign a BAA and our policies and procedures have been audited for HIPAA compliance. If you follow our rules and sign our BAA, you should be as compliant as you were before. Any competitor who is not HIPAA compliant cannot make that statement.

Clients reduce their auditing costs because we have a BAA that their auditor can review rather than having to audit us as well.

What are the minimum security requirements for managed servers and cloud servers to meet HIPAA?

  • Virtual or Dedicated Firewall
  • Backup
  • Antivirus
  • OS Patch Management

What about Encryption, is it required?

No. Encryption is not required but it is strongly suggested. Why? PHI that is released in encrypted form does not count as a release. It must be encrypted to the NIST standard (see the Federal Information Processing Standards: Advanced Encryption Standard (AES)). So while you don’t have to encrypt data, it is best practice to do so while it is stored in the database, and especially while it is in transport.

What’s the best way to encrypt PHI?

Encryption requires decryption prior to use which is computationally expensive, so you can’t just encrypt everything on the server. The best tools and methods depend on the application, operating system and usage patterns.

A few things clients should consider:

  1. Always use SSL for web-based access of any sensitive data (personally identifying or medical information)
  2. Name, SSN, diagnosis, addresses, prognosis etc. and other sensitive information within an EMR system should be encrypted in the database using techniques and mechanisms known only to a select few.
  3. Content such as images or scans should be encrypted and contain no personally identifying information.

What are some other best practices?

There are a few things that clients should do as it will help with their audit:

  • Document data management, security, training and notification plans
  • Client should use a Password policy for their access
  • Encrypt PHI data whether it’s in a database or in files on the server
  • Do not use public FTP. Use other methods to move files
  • Only use VPN access for remote access
  • Login retry protection in their application
  • Document a disaster recovery plan

What is a Business Associate (BA)?

There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.

A BA is someone who a CE uses for services and who needs access to the PHI of the CE’s patients to perform some level of service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.

Since the HIPAA omnibus rule changes have been implemented, cloud service providers and other hosting providers are now considered BAs.

Why is Otava a Business Associate?

It’s becoming accepted in our industry, even though we have no need to access PHI, the healthcare market is demanding that hosting and managed service providers sign a Business Associates Agreement.

We are a BA because the statue defines us as one. It is our attorney’s belief that we can make the case that we are not one because we do not, in the normal course of operation, need any access to PHI to perform any of our contracted work.

So, we’re a BA to a CE. For example, a client of ours is a hospital, so they are a CE. They are required to have a specific agreement with us called a Business Associates Agreement (BAA) because we possibly have access or affect the availability of the PHI on their servers in our data center.

Tell me more about this Business Associates Agreement

The Business Associates Agreement is a 3-page document we have that clients with PHI in our data center will need to sign. It gives us authority to access information on their servers (even though we don’t need it) and codifies our commitment to follow the rules.

When is a BAA required?

Whenever a client is storing, processing or transmitting protected health information (PHI) from Otava’s data centers.

Does a BAA require an NDA?

No, no NDA (non-disclosure agreement) is required.

Still have questions? Contact us us to learn more.

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved