Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data. The related HITECH Act mandates securing a new regime of electronic health records (EHR) — and impose huge penalties for organizations that fail to do so. Compliance entails deployment of security controls and processes to fulfill the laws. This page provides background information about security for HIPAA and HITECH and describes how solutions from Grow-High help practices to be compliant.
HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation's health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information. The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.
HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply "meaningful use" of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).
People expect healthcare organizations to keep their personal health information confidential and safe from data breaches and misuse of same information. Healthcare organizations are also consciously aware of high penalties for non-compliance with HIPAA can be substantial. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.
Security is a crucial part of HIPAA. The Department of Health and Human Services states, "[It] is important to recognize that security is not a one-time project, but rather an ongoing, dynamic process." HIPAA therefore requires security-related processes, many of which are often best implemented with automated technology. HIPAA regulations do not mandate particular security technologies. Instead, they specify a set of principles for guiding technology choices — Grow-High supports in enforcement of such principles which helps our clients to identify, attain and establish all HIPAA goals.
Your Practice’s compliance policy should pursue two important factors: One is selecting and implementing security measures that meet HIPAA / HITECH requirements, and second is strict observation and regular audit of those security measures to ensure continuous protection of all patient health related information and their health records. Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.
Grow-High identifies the gap and ensure immediate plan of action to fill the compliance gap with key HIPAA security measures and help clients discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external policies for HIPAA.