Addressing HIPAA and HITECH Compliance Demanding situations
HIPAA and HITECH regulations were designed and enacted to increase the security surrounding personal health information from those who should not have access to it. Next to finance, the healthcare industry is one of the most regulated industries around. While debates on the cost, structure, and delivery of healthcare continues, most people agree that keeping personal healthcare information out of the hands of others is paramount.
IT professionals charged with meeting compliance regulations to lock such information down face numerous challenges when transferring large and sensitive files containing sensitive ePHI and EHR data to pharmacies, clinics, insurance companies, and more. And complying with trading partner requirements surrounding EDI X 12 requirements can add another layer of complexity. A robust software solution, such as managed file transfer (MFT), can help ease some of these burdens.
When rapidly adopting health information technology such as EHR software, organizations may be tempted to use familiar, but unsecure, file transfer methods which can pose a risk and leave risk that leaves healthcare providers open to vulnerabilities and data breaches. It’s critical for organizations to secure their data and updated business processes to ensure they meet HIPAA and HITECH’s strict compliance requirements.
HIPAA and HITECH: A Brief Recap
The HIPAA (Health Insurance Portability Accountability Act) is the most familiar compliance regulation, having been passed 25 years ago. The act helps assure that an individual’s health information is properly protected while allowing for the essential flow of health information needed to provide healthcare.
The slightly newer HITECH (Health Information Technology for Economic and Clinical Health Act)adds heft to civil and criminal enforcement of regulations that already exist under HIPAA that require health organizations and their business partners to report data breaches. It also increases the penalties for security violations.
Data Breach Notification
Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost, or even transmitted in an unencrypted fashion.
If such a breach – or potential breach – affects 500 people or more, the media must also be notified. Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals’ records are affected, healthcare organizations can report the breach via the HHS website on an annual basis. Larger breaches must be reported to HHS within 60 days.
Penalties for Data Breach
The HITECH Act implements a four-tier system of financial penalties assessed based on the level of “willful neglect” a healthcare organization demonstrated resulting in the breach. Fines range from $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when “willful neglect” is demonstrated.
Access to Electronic Health Records (EHRs)
HITECH requires that the software that a health organization uses to manage its EHRs must make a person’s electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.
Not surprisingly, email is not considered a secure method of data transmission. Adopting strong encryption protocols provides substantial data protection.
HITECH Addresses Business Associate Risks
Before HITECH, business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI. HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI. Business associates are also required to report any data breaches and they too are subject to the same penalties as their healthcare business partners.
EHR File Movement Via MFT
Secure file transfer gives healthcare organizations a safe, streamlined way to send large files and sensitive ePHI and EHR data to hospitals, clinics, pharmacies, and insurance companies while complying with EDI X12 trading partner requirements.
With a robust file transfer solution, in place, health providers can trust that their patient information is encrypted both in transit and while at rest, inside or outside the organization’s private network. EDI Here can safeguard sensitive ePHI and EHR data, is easy to implement, and requires no programming experience to use, so teams can get up and running STAT.
MFT Can Help Cure Healthcare Compliance Aches and Pains
The EDI-as-a-Service can help meet stringent compliance requirements by:
- Encrypting data using FIPS 140-2 compliant AES and Triple DES algorithms
- Securing patient data transfers to HHS or the CDC
- Translating data into EDI X12 format and converts EDI X12 documents to other formats
- Securing medication records collection from pharmacies
- Authenticating all users so only intended parties can access data
Need Help with Your HIPAA and HITECH Compliance?
The EDI-as-a-Service from EDI Here can help healthcare organizations achieve HIPAA- and HITECH-compliant file transfers and offers easy translations to and from EDI X12. Check out this datasheet for more details.