You need to be familiar with EPHI and the answer to each of the above questions; otherwise, you could be in real trouble if you are found to have a fiduciary obligation to comply with HIPAA’s “Security Rule” or and failed to do so. A compliance audit by the federal government be could be disastrous for your organization.
HIPAA’s security rule, also known as “Electronic Protected Health Information” or EPHI, became effective for “covered entities” on April 20, 2006. Those individuals and organizations that are subject to regulations must be able to document that required information processing procedures are in place and reasonably implemented so as to provide for an appropriate level of administrative, physical and technical safeguards.
Electronic Protected Health Information and related revisions establish a full range of security standards for the administrative, physical and technical safeguards to assure protected healthcare information. The scope of EPHI is significant.
What is a covered entity? A covered entity is any provider of healthcare services or business associates who hold (store) or transmit any protected healthcare information in a digital or electronic format. Any health care plan provider, for example, would be considered a “covered entity”. Healthcare professionals including physicians, dentists, psychologists and psychiatrists are all covered entities. So are any business associates who have access to the PHI information (including home healthcare organization and medical supply companies).
There are five (5) main categories or sections that are included in HIPAA's security rule. The following broad topical areas are covered:
a. Administrative Safeguards – which examine formal actions taken by the covered entity to manage and affect the security of electronic private health information. There are nine (9) standards and twenty-one (21) Implementation Specifications.
b. Physical Safeguards – refer to those measures taken that relate to physically protecting electronic private health information. There are four (4) standards and eight (8) Implementation Specifications.
c. Technical Safeguards – which include the manner in which technology is used to secure electronic private health information. There are five (5) standards and seven (7) Implementation Specifications.
d. Organizational Requirements – which refer to the way in which an organization operates while providing security for electronic private health information. There are two (2) standards and three (3) Implementation Specifications
e. Policies and Procedures and Documentation Requirements – which relate to the existence and viability of policies and procedures to protect electronic private health information in the threat environment. There are two (2) standards and three (3) Implementation Specifications
Each broad category mentioned above has a number of “Implementation Specifications” that are either “Addressable” or “Required” of the covered entity. Discerning the exact meaning of the implementation specifications as well as the difference between “addressable” and “required”, is a significant challenge. All of the sub-categories are auditable by an agency of the federal government.
The implications of HIPAA's security rule are staggering for those individuals who are responsible for providing for information assurance. The enforcement agency at the time of this writing is the Office of Civil Rights. Both criminal and civil penalties exist for intentional misuse, willful non-compliance and failure to correct noted deficiencies.
Protecting the information of one’s own organization is one thing. Assuring the manner in which employees and business associates handle or come into contact with electronic private health information is an additional manner. Purchasing a compliance template or hiring a third-party organization for the purpose of complying still leaves you responsible. An organization is ultimately unable to assign its compliance obligations and liability.
The bottom line: You are responsible for EPHI compliance if you are a covered entity.