Home > HIPAA Regulations and Compliance

HIPAA Security Standards and General Rules  

Individuals and Covered Entities are granted custody of PHI (Protected Health Information, specifically associated with an individual) to perform a service or task.  As such, they come under the regulatory requirements of HIPAA (Health Insurance Portability and Accountability Act of 1996) as a covered entity.  There are many HIPAA violation cases out there - whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more. If you’re looking for what the penalties and fines are for certain types of HIPAA violations, see the chart below:

 

VIOLATION TYPE MINIMUM PENALTY MAXIMUM PENALTY
Individual didn't know they violated HIPAA $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million
Reasonable cause and not willful neglect $1,000/violation; annual max of $100,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect but corrected within time $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect and is not corrected $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million

 

The chart below demonstrates how the Axcension™ HIPAA Compliance Solution helps you adhere to regulatory requirements for electronic transfer of PHI.

 

Contact us for compliance solutions >

View our complete HIPAA Compliance White Paper >

 

HIPAA REQUIREMENTS

HOW AXCENSION UTILITY ALLOWS DOCUMENTED COMPLIANCE

(1)Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. Use of a secure electronic method to transfer PHI from sender via interim custody and delivery.  Validate transfer of custody to authenticated recipient at each interval. Provide remote storage of PHI in secure fashion in an uncorrupted form; transmission is required via encrypted channel to a verified recipient.

(2) Protect against any reasonably anticipated threats or hazards to the security of such information.

This specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information;

1. Axcension Authentication is required to access any secured data on the system. 

2. Each data exchange is verified by the system during a documents transfer of custody and summarily applied to an accessible audit trail.  This dynamic authentication method is established by the creation and use of a personal password system including generation of temporary passwords to assigned known recipients. 

3. A timed "log out" from the work station and communication link is included to protect against unauthorized system access at defined intervals or by manual exit. 

4. The communication system provides automatic virus filtering and updating; Spam filtering; spyware removal on demand.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. The Axcension work communication system requires user authentication upon each timed entrance to the secure communication system.
(4) Ensure compliance with this subpart by its workforce.

If the custody is held by or communication is done by other than a sole practice business associate:

A sanction process can be established by the System Administrator to the covered entity; compliance is under purview of entity designated "System Administrator". Executed at the direction of the System Administrator.

(b) Flexibility of Approach.  
(1)  Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

* If the regulations change, the business associate must modify activities to comply. Axcension implements the communication changes – The entity is responsible for 'work station' implementation.

* Work procedures must be adaptable to evolution of HIPAA regulation with or without need for software upgrades to individual user terminals or computers. Adaptations are implemented throughout the system to all users.

* Changes or modification of HIPAA regulation are implemented for all client users. 

(2) In deciding which security measures to use, a covered entity must take into account the following factors:  
(i)  The size, complexity, and capabilities of  the covered entities How scalable is the communication system?  Axcension is scalable to well in excess of 100,000 client users per Domain.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.  Axcension does not rely on client hardware or software and are the updates integrated in a timely manner established specifically for this purpose?
(iii) The costs of security measures Axcension costs are reasonable and customary for the market without undue hardship to the covered entity and business associate
(iv) The probability and criticality of potential risks to electronic protected health information The Axcension system reduces the risk of loss probability with identified controls of access and untraceable dissemination. Access is limited; transmissions are auditable; receipts are auditable; users are authenticated and identifiable.
§ 164.308 Administrative Safeguards.  
A covered entity must, in accordance with § 164.306: Covered entities and their business associates must  conform to § 164.306
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Axcension security procedures are implemented and designed to detect and record attempts at unauthorized access and immediately notify network administrators of excessive password violations, attempted transfer of computer viruses, containment of potentially harmful files and renders activities to a security log.  Individual tools are made available to each user for the detection and removal of viruses, spyware and other compromising software.
(A) Risk analysis (Required). Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The Axcension communication network:  allows only authenticated users; provides continuous encryption of internal and external transmission of PHI; conduct daily modification of intrusion and invasion by outside parties by conducting modification of code algorithms to negate intrusion. 
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a)

* Axcension require two levels of authentication initiate user identification; multi-challenge verification to change password.

* The use encryption code; application of processing algorithms, virus filters, and secure firewall are updated no less than once per day. 

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. A sanction policy must be established by the business associate or covered entity on the communication system – termination or suspension is established by entity "system administrator".  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures. that are in concert with HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges of use.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Axcension provides system activity review under an "audit trail" by retained history of "secure" transmissions outside the system as well as equal history transmissions within the system.
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. The entity designates their "System Administrator" who becomes the assigned responsible party.  This system administrator has access to review, modify or suspend user privileges.
(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Specific access is authorized by the System Administrator.  Non Access and Sanction policy is established by the covered entity – termination or exclusion is established by entity "system administrator".  Authorized access requires two levels of authentication initiate client user identification; dual identity verification to change password
(ii) Implementation Specifications:  
(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Authorization is addressed in (2) & (3)(i)(a)(4)
(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. System Administrator establishes clearance procedure and authorizes access to system. Individual client users self administrate.
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or required by paragraph (a)(3)(ii)(B) of this section.

* Multiple entities and business associates working together must have a Non Access and Sanction policy is established in behalf of the covered entity – termination or exclusion is established by entity "system administrator". 

* Authorized access to must require two levels of authentication initiate client user identification; dual identity verification to change password.

* System Administrator must have authority to deny access to any user.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of the business associates that are in concert with HIPAA. 

* Violation of those policies and procedures constitutes suspension of privileges.

(4)  (i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part The System Administrator must implement policies and procedures are consistent with subpart E.
(ii) Implementation Specifications:  
(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Axcension allows "blocking" from unauthorized access by the "larger organization".

 

CLICK HERE TO CONTACT US FOR COMPLIANCE SOLUTIONS

 

About HIPAA Compliance

 

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing various unrelated provisions of HIPAA, therefore HIPAA may mean different things to different people. HIPAA requires health providers, business associates, and health plans to adopt standards for electronic administrative and financial transactions. Use of these standards could generate billions of dollars in savings for both the government and the private-sector healthcare industry.

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.

Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs

Complying with HIPAA is challenging because this regulation affects so many areas, including standards for transactions, rules for data privacy/security, standards for clinical records and more.

The Department of Health and Human Services has responsibility for HIPAA enforcement rule. Current enforcement is "complaint based" and under a revision for transition to investigation. The proposed rule replaces an interim enforcement rule published two years ago that primarily covered steps the government would take to impose civil fines for violations of non-privacy HIPAA rules. Many provisions of the interim rule are included in the proposed rule, but the scope of the proposed rule is much larger.

 

 

                         

 
     

 

 

 

 

Privacy    Disclaimer

 

COPYRIGHT 2013

AXCENSION, INC.

ALL RIGHTS RESERVED.

 

 

 

 

 

Home    About Us    Cloud Services    Technology    Clients    Technical Skills    Client List    Web Portfolio

Compare Cloud Services    Application Development    Business Technology Services    Cloud Services

Infrastructure as a Service    Mobile Applications    Platform as a Service    Data Security

Virtualization    Software as a Service    Web-Native Technology    Application Hosting

Managed Hosting    Compliance Hosting    Platform Hosting    Database Hosting    Healthcare - HIPAA

Finance - GLBA    Legal - SOX    Banking - HITECH    Data Security - PCI DSS    Contact Us