MIS 4360.

501
Mr. Cavusoglu
21/4/2014
Group 8
Health Insurance Portability and Accountability Act
I NTRODUCTI ON
The Health Insurance Portability and Accountability Act is an interesting law that was signed
into effect by Bill Clinton on August 21, 1996 under the Dept. of Health and Human Services. At first it
contained only one title, centered around the protection of health insurance coverage for workers when
they either change or lose jobs. However, as we have quickly ushered into the digital age, especially in
terms of documenting and records-keeping, there has been much thought to include provisions to cover
electronic means of data. For this reason there have been updates to the law, called Title II:
Administrative Simplification provisions, that focus on establishment of industry standards for
electronic health care transactions and usage. The new provisions address the security and privacy of
healthcare information when companies and patients alike have access to such data.
More specifically, the new provisions created four new rules to govern all aspects of electronic
transmission and possession of healthcare data. The Privacy Rule that establishes standards to protect
individuals medical records and other personal health information and the Security Rule aims to
establish national standards to protect individuals personal health information by a covered entity.
Next, the Breach Notification Rule requires HIPAA covered entities to provide notification following a
breach of unsecured information and the Enforcement Rule contains provisions relating to compliance
and investigations and civil monetary penalties. With the recent change in provisions to HIPAA, it's
important to discover how the law has changed and what patients and companies need to know to
achieve compliance (HIPAA Security 101 1-3).
After having taken into account the changes of the law, one might be wondering why such an
emphasis on electronic transfer of data. Prior to HIPAA, no generally accepted set of security standards
or general requirements for protecting health information existed in the health care industry. At the same
time, new technology has evolved and with it new forms of security threats. As the industry has moved
away from paper for records-keeping of information, there was a growing need to both implement
standards for security, as well as allow access to that information in a controlled manner. With the law
ushering in an emphasis of establishing safeguards via the Security and Privacy rules, as well as
penalties to deter breaches of such information with the other rules, its equally important to discover
every aspect of how the law affects the healthcare industry. By looking into the effect the law has on
patient-to-practice circumstances, companies, enforcement of the law, and the costs associated--one can
see how HIPAA compliance sets a precedent for future laws in terms of security compliance (HIPAA
Security 101 4-6).

PHI PROTECTI ON & PATI ENTS
Due to the recent changes in HIPAA the privacy and protection of health care information, there
was much to be decided how a patient experience was to change. The security rule of HIPAA is the
portion of the law regarding the protection of physical and digital patient records. These records are
referred to as Protected Health Information (PHI). The defined components of this private record are;
information entered into medical records by health care providers, conversations with the patient or
consulting parties regarding care or treatment, patient information held at their health insurance
company, patient billing information, and any other health information held by any covered entities.
Patients have the right to review their PHI and request small changes or clerical errors. Once the PHI is
being properly protected, policies put into place, and the staff is trained, physicians are able to
concentrate on patient care while simply recording everything into the secured PHI for the Information
Security professionals to handle (HIPAA: Patient Rights).
This disconnect between medical professionals entering the data and then handing off that PHI
helps to emphasize where the majority of HIPAAs security rule compliance falls; on information
security professionals and any cloud storage service companies. Compliance is using industry best
practices to restrict access to PHI to only health care and insurance providers, ensure availability of the
PHI whenever needed, and to preserve it in the event of overwrites, deletions, or destruction of
hardware. These security personnel and HIPAA-compliant file systems must be on each end of every
communication channel. At both ends of each covered entity that do business with each other, and also
at third-party file storage centers all over the world (HIPAA: Patient Rights).
Online storage services have started to advertise HIPAA-compliance as a selling point or
differentiator from their competitors. Primarily, this means the data is encrypted while on the hard
disks, memory, and while in transit to the covered entity. Then the data is unencrypted in the browser or
client software at the desired location. Outsourcing all these compliance-minded responsibilities
(storage, implementation, maintenance, support) to a service company is one of the cheapest and
efficient ways for small or medium practices to secure their data. Using one of these service companies
also help shift the accountability away from the health provider. So in the event of a non-compliance
fine from the Health and Human Services Department (HHS OCR), it wont bankrupt the small practice
since the service company is most likely liable.
The only portions of HIPAAs security rule compliance that cannot be outsourced are the
adoption of policies and the staffs awareness of the safeguards and possible threats. Staff members
who work directly with the unencrypted versions of PHI need to regularly change passwords, not leave
files or hand-written information unsecured, or computers unlocked. Strictly reduce the number of
accounts which have access to the records service, and the digital PHI by extension. These accounts
need only the roles required by the positions duties, but also the capability to be individually audited in
the case of a human leak or an inquiry by HHS. Overall, with more care put on the security and privacy
of protected information, the patient can instill more trust in their doctors, and health practices can
benefit from easier access of information safely and securely.

HI PAA ON THE EMPLOYER SI DE
HIPAA created a significant amount of compliance guidelines that businesses had to adapt and
conform to. Security, large-scale record-keeping, and loss-prevention rules were drafted and published
into the official HIPAA guidelines.
For the compliance guidelines, there was a major change to the definition of business
associate- it was expanded to include new entities. The definition includes vendors that create,
maintain and transmit or receive PHI documents. For example, cloud storage providers are now
considered 'business associates', even if the data is not personally accessed by them. Employers are
required to identify all of the contractors they maintain that transmit or have access to any health
information provided to or from the plan.
In terms of information security, the additions of HIPAA are layered and robust. Data security is
broken up into three categorical safeguard layers, which are: technical, physical and administrative.
The technical safeguards has a scope that covers access to the computer infrastructure, as well as
data both paths (in and out) of data transmission and processing. Any information system that hosts the
PHI must have strong security software in place to protect the client information. Encryption is
mandatory on systems that can communicate with the open internet. Either a symmetric (shared-key
cryptography) or asymmetric (public and private key) encryption method must be utilized during data
transmission. Entities have to be authenticated for authenticity and protection against forgery. Covered
entities have direct responsibility to the data they host, and have to ensure data is not altered or removed
from an unauthorized source (How the New HIPAA Regulations Affect Billing Companies).
Physical safeguards are also in place, and have a scope that compliments the technical layer
mentioned above. The physical safeguards regulate the physical access to the data and infrastructure.
The responsibility of this layer is on the owners of the network where the data is hosted. They need to
ensure that hardware and software isn't removed from the network and access to the physical hardware
and software through the use of physical security plans, maintenance records, and full visitor control. If
an employee who works on this equipment is a private contractor, they need to be fully trained and
granted only to the access they need (Wafa).
The administrative safeguards are the procedures and guidelines that show how an entity will
conform to HIPAA. A written set of privacy guidelines must be developed and assigned to a "privacy
officer" who will manage and enforce it. The policies must fully illustrate who the employees with
access to the data are, and what their individual roles and types of data they can access (which again, is
constrained to a 'need to know' basis only). This documentation must also log all of events of new users
and changes to existing users chronologically, stating when there are changes to any of this. In addition
to this record keeping, a contingency plan needs to be created for responding to emergency issues and
unplanned scenarios. In this draft, there needs to be solutions on how to mitigate the protected data and
the disaster recovery, as well as individual data priorities to all of this. In this contingency plan, there
should also be instructions on dealing with security breaches. After all of this is in place, a company is
expected to audit their framework and ensure they are compliant (Wafa; HIPAA Security 101 4-9).
Record-keeping is a fundamental aspect of HIPAA compliance. Risk analysis and risk
management programs require full documentation. Each entity needs to clearly and carefully look at the
risks they face and implement a system that protects them effectively. The infrastructure documentation
needs to be concise and include a written record of the configuration settings used on each individual
component.
The next aspect that businesses need to adapt to is reporting all of the changes to their workforce.
Training needs to take place, and verification of compliance through testing and discussion with the
employees. Entities need to make sure there is full documentation of their HIPAA practices and that
they are available to all relevant workers, as well as the government for an external audit. With the need
for implementation of different safeguards to protect the functions and duties of companies in the
healthcare industry, one can see how important the focus of security is to the modern age of business
and electronic data exchange.

ENFORCEMENT
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the
imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules,
and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C,
D, and E. Procedures for Investigations, Imposition of Penalties, and HearingsInterim Final Rule were
finalized on April 17, 2003 (HIPAA Enforcement).
The Office for Civil Rights (OCR) also works in conjunction with the Department of Justice
(DOJ) to refer possible criminal violations of HIPAA as the primary applicators of the enforcement rule.
OCR enforces the Privacy and Security Rules by investigating complaints filed with Health and Human
Services (HHS), conducting compliance reviews to determine if covered entities specified earlier are in
compliance with the Privacy and Security Rules, and by performing education and outreach to foster
compliance with the Rules' requirements if said entities are found to be out of compliance (HIPAA
Security 101 3-6).
When the OCR investigates complaints, they may only take action on complaints in which the
alleged action had taken place after the dates the Rules took effect. In addition the complaint must be
filed against an entity that is required by law to comply with the Privacy and Security Rules. Each
complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule.
Complaints must be filed within 180 days of when the person submitting the complaint knew or should
have known about the alleged violation of the Privacy or Security Rule (HIPAA Enforcement).
In the compliance reviews, the OCR reviews the information, or evidence, that it gathers in each
case. In some cases, it may determine that the covered entity did not violate the requirements of the
Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR
will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective
action; and/or a resolution agreement. These rules also outline that the resolution agreement may be
obtained by informal means where no judicial proceedings are necessary (HIPAA Enforcement).
Often contained within the resolution agreement and outlined initial training of the covered
entities on the compliance with the Rules, the education and outreach section of the enforcement rule
contains all base amenities that are used to foster specific guidelines for each covered entity to follow.
The education and outreach is initiated by first having the entity assess current security, risks, and gaps
and develop an effective implementation plan. Recognition is achieved when the entities have read the
Security Rule, reviewed the addressable implementation specifications, determined security measures,
and sought and obtained effective implementation solutions to implement the security measures (HIPAA
Enforcement).
A covered entity must implement security measures and solutions that are reasonable and
appropriate for the organization. The company must document decisions made in result of the procedure
and reassess the procedures for fortitude periodically. These measures will not only help to comply with
the law, but likewise save the company much time and money if they prepare beforehand. Without the
proper solutions and measures in place to deter a security breach, the law cannot function as it's intended
to do. As companies become compliant under the law, the extreme costs of a potential breach serve as a
guideline and example for the important of data security within an organization.

COST OF HI PAA
The Health Insurance Portability and Accountability Act is the current standard for protecting all
patient related information. Any company that deals with protected health information (PHI) is
mandated by law to ensure all physical, network, and process security measures are in place and
followed to comply with this standard. This requirement includes covered entities, anyone who provides
treatment, payment and operations in healthcare, anyone with access to patient information and provides
support in treatment. For many organizations, HIPAA compliance is a considerable and organization-
wide effort. The process requires a great deal of planning, expertise, and manpower, all of which can be
extremely expensive. It is therefore very important for affected organizations to evaluate implementation
decisions with a careful eye on their financial capabilities. By thoroughly analyzing the costs of HIPAA
compliance business organizations can analyze key financial decisions and educate future compliance
efforts.
Actual costs for HIPAA compliance will vary among covered entities because of various factors
such as size, type of business, organizational culture, geographic locations, and number of business
associates throughout the organization. Given these cost variances, it is paramount to understand the
costs of implementing HIPAA. In addition, costs will depend on how Compliant that the covered
entity can be and the amount of risk is can feasibly accept. Obviously, costs will vary depending on
whether the organization chooses to implement completely new information systems and business
processes, only the bare minimum requirements, or something in between. Unfortunately, there is no
good answer to how much HIPAA will actually cost. However, after some analysis it is safe to say that
initial HIPAA compliance will most likely range from a few thousand dollars for small covered entities
to a few hundred thousand dollars or more for larger covered entities (How much is this going to cost
me?).
HIPAA compliance costs can be associated with the following categories: administrative,
technical security, and physical security. Administrative costs continue to range standard across the
board so for the purpose of this report we will not delve into those specified costs.
HIPAA technical security costs apply towards access control, audit controls, integrity, personal
entity authentication, and transmission security. Access controls refers to ways to implement technical
policies and procedures for information systems that maintain electronic protected health information to
allow access only to those persons or software programs that have granted access rights. Audit controls
refer to implementing hardware, software or even procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health information. Integrity
refers to the implementation of policies and procedures to protect electronic protected health information
from improper alteration or destruction. Transmission security refers to the implementation of technical
surety measures to guard against unauthorized access to electronic protected health information that is
being transmitted over an electronic communications network. When adding up the variables that make
up a technical security system and all that it encompasses the costs can range anywhere from $15,000 to
$70,000 dollars (How much is this going to cost me?).
HIPAA physical security costs apply towards having a private security officer, either an entirely
new hire or creating an additional duty role to a current employees job classification. The cost of a new
higher of assigning an additional duty could range in cost from $80,000 to $140,000. Out sourcing
HIPAA initiative consultants can range from $50 to $350 dollars an hour depending on computer
knowledge, need, and overall skill. The combination of all the costs associated with compliance to the
law shows that HIPAA is a vitally important aspect of a health care provider's operations (How much is
this going to cost me?).

CONCLUSI ON
With all of the information covered surrounding the HIPAA law, whether discovering the way
companies have to adjust to meet requirements of the law, or how patients protected information will be
safeguarded--the law is both interesting and sets a precedent for future regulations concerning security
and privacy of electronic information. Now there exist certain standards on implementation and
management of electronic information, as well as certain procedures to deal with breaches. As the law
has ushered in a new era of electronic means of records-keeping, it has also brought with it a new sense
of understanding and compliance to security concepts very relative in todays world.

Works Cited

HealthIT.gov. How much is this going to cost me?. Office of the National Coordinator for Health
Information Technology, n.d. Web. 17 Apr. 2014. <http://www.healthit.gov/providers-
professionals/faqs/how-much-going-cost-me>.
HIPAA Enforcement. HIPAA Enforcement. HHS, n.d. Web. 10 Apr. 2014.
<http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html>.
HIPAA Security 101. Centers for Medicare & Medicaid Services 2 (11): 1-11. Print.
HIPAA: Privacy Rights. Integrity Office. Oregon Health & Science University, n.d. Web. 10 Apr.
2014. <http://www.ohsu.edu/xd/about/services/integrity/ips/regulations/upload/Patient-Rights-
2.pdf>.
How the New HIPAA Regulations Affect Billing Companies and Their Subcontractors as Business
Associates. Healthcare Billing and Management Association. N.p., n.d. Web. 15 Apr. 2014.
<http://www.hbma.org/news/public-news/n_how-the-new-hipaa-regulations-affect-billing-
companies-and-their-subcontractors-as-business-associates>.
Wafa, Tim. How the Lack of Prescriptive Technical Granularity in HIPAA Has Compromised Patient
Privacy. Northern Illinois University Law Review, Volume 30, Number 3, Summer 2010.
SSRN 1547425.