Review of The Wonderful World of HIPAA Compliance

 Acronyms & Phrases to note.  What is HIPAA?  Why do we care?  How will this help us sell?

 Health Insurance Portability and Accountability Act of 1996 (HIPAA)  American Recovery and Reinvestment Act of 2009 (AARA)  Health Information Technology for Economic and Clinical Health (HITEC) Act

 Covered Entity  Protected Health Information (PHI)/Electronic Protected Health Information (ePHI)  Business Associate (BA)  Business Associate Agreement (BAA)  Electronic Health Record (EHR)/Electronic Medical Record (EMR)

 US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers.  Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed.  They represent a uniform, federal floor of privacy protections for consumers across the country. (State laws providing additional protections to consumers are not affected by this rule.)  HIPAA took effect on April 14, 2003.

 Economic stimulus package enacted by the 111th United States Congress and signed into law by President Obama on February 17,  Based largely on proposals made by President Obama and intended to provide a stimulus (nominally worth $787 billion) to the US economy in the wake of the economic downturn.  ARRA includes federal tax relief, expansion of unemployment benefits and other social welfare provisions and domestic spending in education, health care, and infrastructure, including the energy sector.  ARRA also includes numerous non-economic recovery related items that were either part of longer-term plans (e.g. a study of the effectiveness of medical treatments) or desired by Congress.

 Created to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States.  President Obama signed HITECH into law on February 17, 2009 as part of the ARRA.  The HITECH act stipulates that, beginning in 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of electronic health records (EHR).  The Act also establishes grants for training centers for the personnel required to support a health IT infrastructure.

 Covered entities are defined in the HIPAA rules as: ◦ Health Plans  Ex: Government programs like Medicaid, HMOs, Health insurance companies ◦ Health Care Clearinghouses  Ex: Companies that process health information into a standard format or vice versa ◦ Health Care Providers who electronically transmit any health information  Ex: Doctors, Clinics, Dentists, Pharmacies, etc.

 Under the HIPAA Privacy Rule, PHI refers to individually identifiable health information (meaning that which can be linked to a particular person). Specifically, this information can relate to: ◦ The individual's past, present, or future physical or mental health or condition ◦ The provision of health care to the individual ◦ The past, present, or future payment for the provision of health care to the individual ◦ Common identifiers of health information such as names, social security numbers, addresses, and birth dates  The HIPAA Security Rule applies to individual identifiable health information in electronic form or ePHI. It is intended to protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted.

 Business Associate -a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information. ◦ An example of a business associate is an IT consulting firm or KeepItSafe.  Business Associate Agreement - a contract between a covered entity and their business associate(s) to ensure that the business associate(s) will appropriately safeguard protected health information. ◦ The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.

 An electronic health record is a digital collection of patient health information.  The term EHR is often used to refer to the software platform that manages patient records maintained by a hospital or medical practice.  EMR stands for electronic medical record and is also used to refer to the software platform that manages patient records maintained by a hospital or medical practice.  Knowing the difference between the two is not critical but here is an explanation: blog/electronic-health-and-medical-records/emr-vs-ehr- difference/ blog/electronic-health-and-medical-records/emr-vs-ehr- difference/  At the end of the day were are looking to backup either type of data.

 You will be reading and hearing many different acronyms & phrases when trying to bring a covered entity lead through the sales process.  Some industry phrases you will hear more than others, but if you need further explanation on one you can find it here-

 The regulations known as the HIPAA/HITECH Omnibus Final Rule went into effect in late March 2013, with a 180- day safe harbor compliance period that ended on September 23,  KeepItSafe is now required by U.S. law to safeguard electronic protected health information for customers that are considered covered entities. A comprehensive HIPAA program will ensure that we are adhering to the requirements of HIPAA legislation presently and in the future, as well as allow KeepItSafe to continue to penetrate this market segment for new business.  KeepItSafe takes HIPAA very seriously, we use the same guidelines to protect ePHI as a doctor’s office would.

**This is not something you will be speaking to potential leads about but it is important you understand risk factors are not being pulled out of thin air. **  Risk w/Existing Controls – states the overall risk with the existing controls (safeguards) that are already implemented. ◦ For example, an organization may already have a data backup procedure in place. Data backup is one of the controls that reduce the impact of the threat associated with flooding. Because data backup has already been implemented, the impact of the threat will be reduced and the overall risk will be reduced.  Risk w/New Controls – states the overall risk if the new or recommended controls (safeguards) have been implemented. ◦ For example, to reduce the risk associated with a flood, one of the recommended controls is to implement a disaster recovery plan. If an organization has not implemented a disaster recovery plan, their overall risk from the threat will be higher. This section evaluates the risk if all of the recommended controls have been implemented.

 KeepItSafe has 18 policies that address parts of the HIPAA security rule and what procedures ensure the policy’s integrity is maintained.  There are more than 40 procedures KeepItSafe uses to ensure we are doing everything we can to protect ePHI.  If a lead asks specific questions about policies or procedures, it is not something you are expected to know off the top of your head. You can get back to them later after going over the questions with your team or the HIPAA Security Officer.

 HIPAA is an ongoing project that will change year to year.  KeepItSafe will re-train and review everything HIPAA at least once per year. The HIPAA Security Officer will organize the training and review for the entire company.  Different team members are responsible for approving HIPAA policies and procedures that relate to their departments along with training for their departments.

 So far, procedures for HIPAA compliance have only been evaluated around our Asigra solution.  Because of this, we recommend that if a client is bound by HIPAA regulations, you sell them Asigra.  As other platforms and the procedures around them are evaluated, you will be updated.

 Never say “KeepItSafe is HIPAA compliant.” ◦ No company is ever 100% in compliance at all times. ◦ You can say KeepItSafe has policies and procedures based around protecting ePHI and trains all employees on HIPAA security.

 Never say “KeepItSafe will make your business HIPAA compliant.” ◦ Instead you can say KeepItSafe is a low risk Business Associate since your data is always encrypted. ◦ We sign BA agreements with our customers to make sure both parties understand how their data is being securely handled.  If the lead asks how they can better understand compliance and receive guidance, you can refer them to HIPAA Secure Now. ◦ KeepItSafe does not resell HSN services.

 Never say “KeepItSafe employees are HIPAA experts.” ◦ As a company we have learned a lot about HIPAA, but we leverage a third party to help understand HIPAA legislation and best practices. ◦ We only have experience making sure we comply as a backup provider and how it affects our customers’ data.

 All HIPAA violations should be reported to the HIPAA Security Officer. There is a security incident form you can use.  Even though a breach is unlikely, KeepItSafe must process employee reports of breaches with the incident form. Business consequences for violations will be evaluated on a case by case basis.

 Policies and Procedures ◦ KeepItSafe has 18 policies and more than 40 procedures based around protecting ePHI. ◦ If HIPAA legislation changes, we adjust our program in accordance.

 HIPAA Employee Training ◦ The entire KeepItSafe team participates in yearly HIPAA training given by a 3 rd party and additional internal HIPAA training tailored for our business. ◦ Our employees are tested on the same material a doctor or nurse would be tested on in a medical practice.

 KeepItSafe is a low risk business associate ◦ When using our backup software, all ePHI is compressed and encrypted before it is transmitted to the KeepItSafe data centers. ◦ 256bit encryption ensures that our team never sees your data in its raw format once transmitted to our data center. ◦ FIPS compliance assures a high level of security other providers cannot adhere to.

 KeepItSafe will sign a covered entity’s BA Agreement ◦ Many backup providers will not sign a Business Associate Agreement even though they realize it is in their best interest and the best interest of their customers. ◦ KeepItSafe has invested many resources into HIPAA so we sign BA Agreements with confidence. This also helps covered entities accomplish compliance standards within their organizations.

 Backing up ePHI wherever it resides ◦ The KeepItSafe backup software is the most dynamic product on the market. ◦ We can backup data on numerous platforms (windows, mac, linux) and support dozens of database applications. ◦ This enables you to centralize your backup efforts.

 As with our other service agreements, the BAA should be uploaded onto DocuSign.  We do not accept changes to our standard BAA, nor can we accommodate a customer’s request to use a BAA other than our standard one, as per corporate policy. ◦ Our BAA obligations must be uniform across all customers in order for our HIPAA program to be workable. ◦ Our BAA is based on the sample provisions published by the U.S. Department of Health & Human Services, the federal agency tasked with HIPAA’s implementation and enforcement.