For HIPAA Compliance
If you are unsure if you are a covered entity, submit an inquiry to [email protected].
The two overviews below, in downloadable form, can help Privacy and Security Officers understand their responsibilities.
This 7-page overview, issued in May 2015 and titled HIPAA Basics for Providers, includes:
-
Examples of Records to Retain
-
Breach notification timelines and resources
-
An overview of who must comply with HIPAA rules
The 62-page Guide to Privacy and Security of Electronic Information, issued by HHS in April 2015, includes sections on:
-
Understanding patients’ health information rights
-
Breach notification, HIPAA enforcement, and civil and criminal penalties
-
A chart with examples of potential information security risks with different types of EHR hosts
-
A list titled “Low-Cost, Highly Effective Safeguards”
-
A table on examples of risks and how they might be mitigated
-
Links to games and videos for training workforce
-
Tools for achieving Meaningful Use
No tools or resources available for Step 3 yet.
First, learn the Top 10 Myths about Security Risk Analysis.
Basic Training Tools
Before beginning your assessment, here are two videos for small and medium-size providers on the broad objectives of risk assessment and contingency planning.
One is an 8-minute video on risk assessment and security managment. The other runs 6 minutes and defines what a contingency plan is, why you need it, and what to do.
To test your knowledge of security risk and contingency planning, you can also play these animated 6 to 8 minute games.
You will be presented with scenarios and asked to make the right decisions. And if you make a wrong decision, you’ll know it!
The Contingency Planning Challenge The Privacy & Security Challenge
Advanced Training Tools
For those ready for a comprehensive analysis, the Security Risk Assessment (SRA) tool takes you through each HIPAA requirement.
The SRA Tool guides you through 156 questions. In each case, you will see the actual safeguard language of the HIPAA Security Rule.
As you work through the tutorial, you will be asked questions with promptings on:
-
What to consider
-
Potential threats and vulnerabilities
-
Examples of safeguards
You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. Developed by a collaboration of government offices, it is user friendly, and comes in interactive downloadable versions for both Windows and iPad, as well as downloadable Word documents.
SRA Tool (Windows Version) SRA Tool (iPad Version) SRA Tool User Guide
Printable versions of the tool:
Additional Topics
If you would like to review cases of actual breaches, here are recent examples:
-
$750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies – August 31, 2015
-
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications – June 10, 2015
-
HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records – April 22, 2015
-
HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software – December 2, 2014
-
$800,000 HIPAA Settlement in Medical Records Dumping Case – June 23, 2014
-
Data Breach Results in $4.8 Million HIPAA Settlements – May 7, 2014
-
Concentra Settles HIPAA Case for $1,725,220 – April 22, 2014
-
QCA Settles HIPAA Case for $250,000 – April 22, 2014
-
County Government Settles Potential HIPAA Violations – March 7, 2014
Basic Training Tools
The following reports detail things to consider when developing an action plan.
This 11-page overview for small practices focuses on precautions associated with electronic health records.
Reassessing Your Security Practices in a Health IT Environment
The 4-page Safeguards report emphasizes that the standard is flexible and and includes a Q&A to help guide organizations toward appropriate safeguards. Questions addressed include:
-
E-mail of protected health information (PHI) with other providers for treatment purposes
-
Email with patients
HHS published a Security Standards Series in 2007, and it includes handy checklists and sample questions to consider relating to administrative, facility and technical safe practices.
Security Series: Administrative Safeguards
Security Series: Physical Safeguards
Security Series: Technical Safeguards
Advanced Tools
A Toolkit developed by the National Institute of Standards and Technology (NIST) offers public and private organizations, large and small, guidance on HIPAA implementation requirements. The resource is designed for both large and small organizations, and can help with plans for implementation requirements.
This user guide notes that the Toolkit can help organizations understand how to implement security requirements.
The HHS Toolkit addresses 45 implementation specifications identified in the HIPAA Security Rule, covering:
-
basic security practices
-
security failures
-
risk management
-
personnel issues
Questions in the Toolkit help organizations:
-
define and manage access, backups, recoveries, and physical security
-
deal with legal issues after an incident, such as breach notifications
-
manage risk through periodic reviews and evaluations, and regular monitoring practices
-
address personnel access considerations
This install guide explains how to install the toolkit for each supported operating system.
NIST Toolkit Installation Guide
Special Topics
HHS offers nine SAFER Guides for how-to guidance on specific topics, and offers guidance on safe practices, especially relating to electronic records. The guides, in the form fillable PDFs, include checklists and places to add notes. They can be saved and transmitted among team members.
No tools or resources available for Step 6 yet.
You can learn more about breach notification on the website of the Office for Civil Rights under the following headings:
-
Breach Notification Regulation History
-
Definition of Breach
-
Unsecured Protected Health Information and Guidance
-
Breach notification Requirements
-
Administrative Requirements and Burden of Proof
-
Instructions for Covered Entities to Submit Breach Notifications to the Secretary
The electronic form for breach notification must be accessed via the OCR website. It must be filled out and submitted electronically.
See this report as a general reference on security of ePHI.
Guide to Privacy and Security of Electronic Health Information
Privacy Notices can help achieve meaningful consent, and the HHS offers Privacy Notification templates in English and Spanish.
For Healthcare Providers:
NPP Booklet for Healthcare Providers (English)
NPP Booklet for Healthcare Providers (Spanish)
NPP Layered for Healthcare Providers (English)
NPP Layered for Healthcare Providers (Spanish)
NPP Full-Page for Healthcare Providers (English)
NPP Full-Page for Healthcare Providers (Spanish)
NPP Text-Version for Healthcare (English)
NPP Text-Version for Healthcare (Spanish)
For Health Insurers:
NPP Booklet – Health Plan (English)
NPP Booklet – Health Plan (Spanish)
NPP Full-Page – Health Plan (English)
NPP Full-Page – Health Plan (Spanish)
NPP Layered – Health Plan (English)
NPP Layered – Health Plan (Spanish)
NPP Text-Version – Health Plan (English)
NPP Text-Version – Health Plan (Spanish)
A Health Care Professionals’ Privacy Guide updated to cover rules in effect since 2013.
These headings from the Privacy Guide indicate topics covered:
-
HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances may share information for treatment purposes.
-
HIPAA does not require you to eliminate all incidental disclosures.
-
HIPAA is not anti-electronic.
-
HIPAA does not cut off all communication between healthcare professionals and the families and friends of patients.
-
HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else.
-
HIPAA does not prevent child abuse reporting. The Privacy Guide also discusses strengthened patient protections, and includes links to additional resources, including guidelines on communications with family and friends.
Health Care Professional’s Privacy Guide
This eConsent Toolkit includes samples of tools and educational materials that organizations can customize for patient education and meaningful consent.
The toolkit includes a tip sheet on meaningful consent, HHS says organizations can develop content through what it calls a Story Engine feature. It also contains an eConsent Story Engine download as well as the technical standards needed to download and house the tool, along wih a guide for installing and using the tool. To start, you can download an eConsent User Guide.
eConsent Toolkit Tipsheet eConsent Story Engine eConsent User Guide
Architectural Analysis and Technical Standards eConsent Installation Guide
The HHS website offers sample Business Associate Agreement provisions
Understanding the Incentive Programs
Specification sheets on the requirements:
For Healthcare Providers For Hospitals
HHS tipsheets on 2015 Requirements for the Incentive Programs:
EHR for Eligible Professionals Tipsheet
EHR Incentive Programs Factsheet
View a 3-minute video introduction to EHR Incentive Programs.
More expansive resources
An 85-page guide titled An Introduction to the Medicare EHR Incentive Program for Eligible Professionals. The table of contents includes:
-
Program Basics:
- What is the EHR Incentive Program?
- What requirements do you have to meet?
-
Program options:
- How To Participate
-
Eligibility
-
Registration
-
Meaningful Use
- What do you have to do for meaningful use?
- How will certified EHR help you?
- Core Objectives
- Menu Objectives
-
Clinical Quality Measures
-
Attestation: How you report to CMS
- What is attestation?
- Steps to Follow
- After you attest
-
Resources Library
Introduction to Medicare EHR Incentive Program
A 94-page guide titled An Introduction to the Medicaid EHR Incentive Program for Eligible Professionals. Table of Contents includes:
-
Program Basics:
- What is the Medicaid EHR Incentive Program?
- What requirements do you have to meet?
- What is meaningful use?
-
How To Participate
-
Eligibility
-
Registration
-
Meaningful Use
- First year participants
- What do you have to do for meaningful use?
- Core Objectives
- Menu Objectives
- Clinical Quality Measures
- How will certified EHRs help you?
-
Attestation: How You Report to Your State
- What is attestation?
- Steps to follow
- After you attest
-
Resources Library
Introduction to Medicaid EHR Incentive Program
A 2015 Beginner Reporter Toolkit which explains how to file a report to the federal government:
2015 Beginner Reporter Toolkit
“Meaningful Use” References on Special Topics
14-page overview titled Care Coordination Tool for Transition to Long-Term and Post-Acute Care:
CMS Toolkit for the Physician Quality Reporting System:
Physician Quality Reporting Toolkit
An illustrated, interactive Guide to Reducing Unintended Consequences of Electronic Health Records:
Guide to Reducing Unitended Consquences of Electronic Health Records
Payment Adjustments & Hardship Exceptions Tip Sheet for Eligible Professionals
Hardship Exception Tipsheet for Professionals
Payment Adjustment Form Hardship Exception Tip Sheet for Hospitals: