Sanjeevani Electronic Health Record (EHR)

PRIVACY POLICY

Last Modified: December 15,2016

I. BACKGROUND


Sanjeevani Electronic Health Record (EHR) is one of the products of HanuInnotech. It stores electronic health information about individual patients. Sanjeevani EHR stores a range of electronic health data, including demographics, medical history, medication and allergies, immunization status, laboratory test results, and personal statistics like age and weight. HanuInnotech is a repeat ELC client.


The goal of this memo is to discuss HIPAA and its requirements. As a reminder, our project focuses only on users within the United States for the electronic health record product and does not touch upon Indian users or the health checkup service that HanuInnotech also provides.


This document does not provide a definitive answer of what is required for HIPAA compliance, nor does it determine whether or not the intended product and service offerings related to Sanjeevani EHR are permitted or allowed under applicable law, including state and federal laws and regulations, or what licenses or permits may be necessary. In addition, we recommend assigning a privacy officer to review each rule in its entirety. You might also consider commissioning the help of a HIPAA expert.


II. ANALYSIS


I. WHAT IS THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. HIPPA mandates the following:

  • The ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  • The reduction of health care fraud and abuse;
  • Industry-wide standards for health care information on electronic billing and other processes; and
  • Requirements regarding the protection and confidential handling of protected health information.


II. WHAT IS HEALTH INFORMATION UNDER HIPAA?


"Health information means any information, whether oral or recorded in any form or medium, that–

  1. is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual."


III. WHAT IS INDIVIDUALLY IDENTIFIABLE INFORMATION?


“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

  1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    1. That identifies the individual; or
    2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”


List of 18 Identifiers:


  1. Names;
  2. All geographical subdivisions smaller than a State, including street addresses, cities, counties, precincts, zip codes, or their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census includes: (A) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (B) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data).


IV. WHAT IS PROTECTED HEALTH INFORMATION?


Protected health information is defined in 45 CFR 160.103, and is referenced in § 13400(D) of the HITECH Act. Protected health information means individually identifiable health information:

  1. Except as provided in paragraph (2) of this definition, that is:
    1. Transmitted by electronic media;
    2. Maintained in electronic media; or
    3. Transmitted or maintained in any other form or medium.

  2. Protected health information excludes individually identifiable health information in:
    1. Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
    3. Employment records held by a covered entity in its role as employer.


Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered into the medical record or will be used for healthcare services, such as treatment, payment or operations.


For example, PHI is used in research studies involving review of existing medical records for research information, such as retrospective chart review. Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or a new drug or device for treating a health condition, create PHI that will be entered into the medical record.


V. SANJEEVANI EHR STORES PROTECTED HEALTH INFORMATION THUS TRIGGERING HIPAA.


Sanjeevani EHR falls under HIPAA because Sanjeevani EHR collects and stores information included in the list of identifiers mentioned above. The service itself collects numbers 1, 2, 3, 6, and 17. The service is also most likely collecting numbers 14 and 15. Because Sanjevani EHR collects information that falls under this list, it must comply with HIPAA.


Notice, however, that gender is not part of this list. Sanjeevani EHR can potentially use gender to identify an individual without violation. Sanjeevani EHR, however, should proceed with caution, if it chooses to use gender to identify users.


Sanjeevani EHR must comply with the industrywide standards that HIPAA mandates, and implement protections for collecting, storing, and handling user health information.


Compliance is a result of a strong security program. HIPAA does not provide every way in which a business can comply, Sanjeevani EHR is responsible for knowing its business well enough to determine any and all possible privacy exposures and implement safeguards to combat those exposures. Sanjeevani EHR’s implemented privacy and security safeguards should continue to grow as its business evolves. Determining compliance should be part of Sanjeevani EHR's daily business practices.


VI. WHAT IS NOT CONSIDERED PHI AND THUS IS NOT COVERED UNDER HIPAA?


Health information by itself without the eighteen identifiers is not considered to be PHI. For example, a dataset of vital signs alone does not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual including private information, facial images, fingerprints, and voiceprints.


It is our understanding that Sanjeevani EHR plans to collect user information to conduct research pertaining to health issues. If Sanjeevani EHR gathers information that excludes the eighteen identifiers listed above, then the research produced and distributed need not be HIPAA compliant. However, regardless of whether or not such identifiers are used in its research, Sanjeevani EHR should maintain the privacy and confidentiality of its data.


VII. STANDARD FOR RE-IDENTIFICATION OF USER DATA


Sanjeevani EHR should implement further standards to protect individuals’ privacy from re-identification. Sanjeevani EHR needs to ensure that any code used to replace the identifiers in datasets cannot and will not be derived from any information related to the individual user, nor can the method to derive the codes be disclosed.


For example, a subject's initials cannot be used to code data because the initials are derived from the subject’s name. Additionally, Sanjeevani EHR must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even with all of the eighteen identifiers removed.


VIII. IMPLICATIONS OF A CLOUD-BASED SYSTEM


The cloud makes complying with HIPAA easier; for instance, PHI can be easily accessed in the event of an emergency, and authorized access can be clearly designated. On the other hand, storing PHI in the cloud comes with its own set of problems, including accidental sharing of data with unauthorized users or theft of unencrypted devices.


As for Sanjeevani EHR, a solution for the potential breach of the third-party cloud storage facility is to encrypt the data even before it reaches the cloud. This ensures that the PHI remains protected wherever it resides. In the event of a breach, the encrypted PHI would prevent malicious actors from successfully accessing the data.


The third-party cloud system used by Sanjeevani EHR, also must be HIPAA compliant. As of 2013, cloud service providers are considered “business associates” in HIPAA parlance, meaning that any company providing cloud storage for a HIPAA-compliant organization must itself be HIPAA compliant. That is a good start in mitigating your own risk, suggesting that security for your PHI will remain tight even outside the physical confines of your office.


IX. HIPAA COMPLIANCE FOR SANJEEVANI EHR.


HIPAA compliance revolves around protecting the privacy and security of Protected Health Information (PHI) that the Sanjeevani EHR has or will have access to.


There are two distinct and separate regulations under HIPAA:

  1. HIPAA Privacy

  2. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives users rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.


    Sanjeevani EHR is directly liable for uses and disclosures of PHI that are not covered under the HIPAA.


    Under the Privacy Rule, Sanjeevani EHR is required to do the following:

    1. Not allow any impermissible uses or disclosures of PHI,
    2. Provide breach notification to users,
    3. Provide individual access to PHI,
    4. Disclose PHI to the Secretary of HHS, if compelled to do so,
    5. Provide an accounting of disclosures, and
    6. Comply with the requirements of the HIPAA Security Rule.


    Under the Privacy Rule, Sanjeevani EHR is required to implement safeguards for keeping Protected Health Information safe from a people, administrative, and contractual standpoint. All organizations are required to comply with the HIPAA privacy regulations, since privacy involves safeguards from a people standpoint. Thus, Sanjeevani EHR needs to implement privacy protections.


    We recommend that Sanjeevani EHR implement the following to its business:

    1. Provide a HIPAA Awareness Training to all employees of the organization that have access to PHI;
    2. Implement formal documents and controls for the organization to protect and safeguard PHI;
    3. Train a compliance officer (someone in the organization that is going to take responsibility for HIPAA at your organization and make it a daily task); and
    4. Enlist the help of a HIPAA expert to audit and oversee whether the business is staying compliant since HIPAA regulations frequently change.


  3. HIPAA Security

  4. This section pertains to safeguards for keeping protected health information specifically in electronic form from disasters, hackers, and electronic theft. Only those who store or transmit protected health information electronically are required to comply with the HIPAA security regulations which are meant to protect electronic data. Thus, Sanjeevani EHR needs to implement security safeguards.


    The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI). The Security Rule is made up of three parts:


    1. Technical Safeguards
    2. Physical Safeguards
    3. Administrative Safeguards

    All three parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; regardless, your choice must be documented.


    It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.


    1. Technical Safeguards

    2. The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be "technology neutral.”

      There are five standards listed under the Technical Safeguards section:


      1. Access Control
      2. Audit Controls
      3. Integrity
      4. Authentication
      5. Transmission Security

      When you break down the five standards there are nine things that you need to implement:


      1. Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
      2. Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
      3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
      4. Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
      5. Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
      6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
      7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
      8. Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
      9. Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

    3. Physical Safeguards

    4. Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.


      There are four standards in the Physical Safeguards:


      1. Facility Access Controls
      2. Workstation Use
      3. Workstation Security
      4. Device and Media Controls

      When you break down the four standards there are ten things that you need to implement:


      1. Facility Access Controls (addressable): Establish and implement as needed procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
      2. Facility Access Controls (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
      3. Facility Access Controls (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
      4. Facility Access Controls (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
      5. Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
      6. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
      7. Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
      8. Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
      9. Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
      10. Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

    5. Administrative Safeguards

    6. The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI. The administrative components are important when implementing a HIPAA compliance program; you are required to:


      • Assign a privacy officer,
      • Complete a risk assessment annually,
      • Implement employee training,
      • Review policies and procedures, and
      • Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI).

      There are nine standards under the Administrative Safeguards section:


      1. Security Management Process
      2. Assigned Security Responsibility
      3. Workforce Security
      4. Information Access Management
      5. Security Awareness and Training
      6. Security Incident Procedures
      7. Contingency Plan
      8. Evaluation
      9. Business Associate Contracts and Other Arrangements.

      As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions.


      When you break down the nine standards there are eighteen things that you should do:


      1. Security Management Process - Risk Analysis (required): Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
      2. Security Management Process - Risk Management (required): Implement sufficient measures to reduce these risks to an appropriate level.
      3. Security Management Process - Sanction Policy (required): Implement sanction policies for employees who fail to comply.
      4. Security Management Process - Information Systems Activity Reviews (required): Regularly review system activity, logs, audit trails, and related information.
      5. Assigned Security Responsibility - Officers (required): Designate HIPAA Security and Privacy Officers.
      6. Workforce Security - Employee Oversight (addressable): Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
      7. Information Access Management - Multiple Organizations (required): Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
      8. Information Access Management - ePHI Access (addressable): Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI.
      9. Security Awareness and Training - Security Reminders (addressable): Periodically send updates and reminders about security and privacy policies to employees.
      10. Security Awareness and Training - Protection Against Malware (addressable): Have procedures for guarding against, detecting, and reporting malicious software.
      11. Security Awareness and Training - Login Monitoring (addressable): Institute monitoring of logins to systems and reporting of discrepancies.
      12. Security Awareness and Training - Password Management (addressable): Ensure that there are procedures for creating, changing, and protecting passwords.
      13. Security Incident Procedures - Response and Reporting (required): Identify, document, and respond to security incidents.
      14. Contingency Plan - Contingency Plans (required): Ensure that there are accessible backups of ePHI and that there are procedures to restore any lost data.
      15. Contingency Plan - Contingency Plans Updates and Analysis (addressable): Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
      16. Contingency Plan - Emergency Mode (required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
      17. Evaluations (required): Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
      18. Business Associate Agreements (required): Have special contracts with business partners who will have access to your PHI in order to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access. Sanjeevani EHR should ensure that the third party company you are using to store information is also HIPAA compliant.

  5. BREACH NOTIFICATION RULE
  6. Sanjeevani EHR needs to provide notification to its users following a breach of unsecured protected health information. Sanjeevani EHR can do this by sending its users a letter to the electronic mailing address users provides.



X. VIOLATION OF HIPAA


Violating HIPAA can cost up to $50,000 per violation. Moreover, violations can cause irreparable damage to your business. In the healthcare business, trust is often the most important asset. Thus, privacy and security need to be top priorities for Sanjeevani EHR.


XI. SUMMARY


As a reminder, this is not a definitive answer of what is required for HIPAA compliance, or that the intended product and service offerings related to Sanjeevani EHR are permitted or allowed under applicable law, including state and federal laws and regulations. You should assign a Privacy Officer to review each rule in its entirety. Furthermore, Sanjeevani EHR should seek the help of a HIPAA expert. Again, this memo is only intended to point you in the right direction.


In sum, under HIPAA, Sanjeevani EHR is required to:


  • Put safeguards in place to protect patient health information.
  • Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.
  • Have agreements in place with any service providers that perform covered functions or activities for you. These agreements (BAAs) are to ensure that these services providers (Business Associates) only use and disclose patient health information properly and safeguard it appropriately.
  • Have procedures in place to limit who can access patient health information, and implement a training program for you and your employees about how to protect your patient health information.