Last Modified: December 15,2016
Sanjeevani Electronic Health Record (EHR) is one of the products of HanuInnotech. It stores electronic health information about individual patients. Sanjeevani EHR stores a range of electronic health data, including demographics, medical history, medication and allergies, immunization status, laboratory test results, and personal statistics like age and weight. HanuInnotech is a repeat ELC client.
The goal of this memo is to discuss HIPAA and its requirements. As a reminder, our project focuses only on users within the United States for the electronic health record product and does not touch upon Indian users or the health checkup service that HanuInnotech also provides.
This document does not provide a definitive answer of what is required for HIPAA compliance, nor does it determine whether or not the intended product and service offerings related to Sanjeevani EHR are permitted or allowed under applicable law, including state and federal laws and regulations, or what licenses or permits may be necessary. In addition, we recommend assigning a privacy officer to review each rule in its entirety. You might also consider commissioning the help of a HIPAA expert.
I. WHAT IS THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT?
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. HIPPA mandates the following:
II. WHAT IS HEALTH INFORMATION UNDER HIPAA?
"Health information means any information, whether oral or recorded in any form or medium, that–
III. WHAT IS INDIVIDUALLY IDENTIFIABLE INFORMATION?
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
List of 18 Identifiers:
IV. WHAT IS PROTECTED HEALTH INFORMATION?
Protected health information is defined in 45 CFR 160.103, and is referenced in § 13400(D) of the HITECH Act. Protected health information means individually identifiable health information:
Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered into the medical record or will be used for healthcare services, such as treatment, payment or operations.
For example, PHI is used in research studies involving review of existing medical records for research information, such as retrospective chart review. Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or a new drug or device for treating a health condition, create PHI that will be entered into the medical record.
V. SANJEEVANI EHR STORES PROTECTED HEALTH INFORMATION THUS TRIGGERING HIPAA.
Sanjeevani EHR falls under HIPAA because Sanjeevani EHR collects and stores information included in the list of identifiers mentioned above. The service itself collects numbers 1, 2, 3, 6, and 17. The service is also most likely collecting numbers 14 and 15. Because Sanjevani EHR collects information that falls under this list, it must comply with HIPAA.
Notice, however, that gender is not part of this list. Sanjeevani EHR can potentially use gender to identify an individual without violation. Sanjeevani EHR, however, should proceed with caution, if it chooses to use gender to identify users.
Sanjeevani EHR must comply with the industrywide standards that HIPAA mandates, and implement protections for collecting, storing, and handling user health information.
Compliance is a result of a strong security program. HIPAA does not provide every way in which a business can comply, Sanjeevani EHR is responsible for knowing its business well enough to determine any and all possible privacy exposures and implement safeguards to combat those exposures. Sanjeevani EHR’s implemented privacy and security safeguards should continue to grow as its business evolves. Determining compliance should be part of Sanjeevani EHR's daily business practices.
VI. WHAT IS NOT CONSIDERED PHI AND THUS IS NOT COVERED UNDER HIPAA?
Health information by itself without the eighteen identifiers is not considered to be PHI. For example, a dataset of vital signs alone does not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual including private information, facial images, fingerprints, and voiceprints.
It is our understanding that Sanjeevani EHR plans to collect user information to conduct research pertaining to health issues. If Sanjeevani EHR gathers information that excludes the eighteen identifiers listed above, then the research produced and distributed need not be HIPAA compliant. However, regardless of whether or not such identifiers are used in its research, Sanjeevani EHR should maintain the privacy and confidentiality of its data.
VII. STANDARD FOR RE-IDENTIFICATION OF USER DATA
Sanjeevani EHR should implement further standards to protect individuals’ privacy from re-identification. Sanjeevani EHR needs to ensure that any code used to replace the identifiers in datasets cannot and will not be derived from any information related to the individual user, nor can the method to derive the codes be disclosed.
For example, a subject's initials cannot be used to code data because the initials are derived from the subject’s name. Additionally, Sanjeevani EHR must not have actual knowledge that the research subject could be re-identified from the remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even with all of the eighteen identifiers removed.
VIII. IMPLICATIONS OF A CLOUD-BASED SYSTEM
The cloud makes complying with HIPAA easier; for instance, PHI can be easily accessed in the event of an emergency, and authorized access can be clearly designated. On the other hand, storing PHI in the cloud comes with its own set of problems, including accidental sharing of data with unauthorized users or theft of unencrypted devices.
As for Sanjeevani EHR, a solution for the potential breach of the third-party cloud storage facility is to encrypt the data even before it reaches the cloud. This ensures that the PHI remains protected wherever it resides. In the event of a breach, the encrypted PHI would prevent malicious actors from successfully accessing the data.
The third-party cloud system used by Sanjeevani EHR, also must be HIPAA compliant. As of 2013, cloud service providers are considered “business associates” in HIPAA parlance, meaning that any company providing cloud storage for a HIPAA-compliant organization must itself be HIPAA compliant. That is a good start in mitigating your own risk, suggesting that security for your PHI will remain tight even outside the physical confines of your office.
IX. HIPAA COMPLIANCE FOR SANJEEVANI EHR.
HIPAA compliance revolves around protecting the privacy and security of Protected Health Information (PHI) that the Sanjeevani EHR has or will have access to.
There are two distinct and separate regulations under HIPAA:
The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives users rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Sanjeevani EHR is directly liable for uses and disclosures of PHI that are not covered under the HIPAA.
Under the Privacy Rule, Sanjeevani EHR is required to do the following:
Under the Privacy Rule, Sanjeevani EHR is required to implement safeguards for keeping Protected Health Information safe from a people, administrative, and contractual standpoint. All organizations are required to comply with the HIPAA privacy regulations, since privacy involves safeguards from a people standpoint. Thus, Sanjeevani EHR needs to implement privacy protections.
We recommend that Sanjeevani EHR implement the following to its business:
This section pertains to safeguards for keeping protected health information specifically in electronic form from disasters, hackers, and electronic theft. Only those who store or transmit protected health information electronically are required to comply with the HIPAA security regulations which are meant to protect electronic data. Thus, Sanjeevani EHR needs to implement security safeguards.
The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI). The Security Rule is made up of three parts:
All three parts include implementation specifications. Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; regardless, your choice must be documented.
It is important to remember that an addressable implementation specification is not optional. When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
The Technical Safeguards focus on the technology that protects PHI and controls access to it. The standards of the Security Rule do not require you to use specific technologies. The Security standards were designed to be "technology neutral.”
There are five standards listed under the Technical Safeguards section:
When you break down the five standards there are nine things that you need to implement:
Physical Safeguards are a set of rules and guidelines that focus on the physical access to PHI.
There are four standards in the Physical Safeguards:
When you break down the four standards there are ten things that you need to implement:
The Administrative Safeguards are a collection of policies and procedures that govern the conduct of the workforce, and the security measures put in place to protect ePHI. The administrative components are important when implementing a HIPAA compliance program; you are required to:
There are nine standards under the Administrative Safeguards section:
As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions.
When you break down the nine standards there are eighteen things that you should do:
Sanjeevani EHR needs to provide notification to its users following a breach of unsecured protected health information. Sanjeevani EHR can do this by sending its users a letter to the electronic mailing address users provides.
X. VIOLATION OF HIPAA
Violating HIPAA can cost up to $50,000 per violation. Moreover, violations can cause irreparable damage to your business. In the healthcare business, trust is often the most important asset. Thus, privacy and security need to be top priorities for Sanjeevani EHR.
As a reminder, this is not a definitive answer of what is required for HIPAA compliance, or that the intended product and service offerings related to Sanjeevani EHR are permitted or allowed under applicable law, including state and federal laws and regulations. You should assign a Privacy Officer to review each rule in its entirety. Furthermore, Sanjeevani EHR should seek the help of a HIPAA expert. Again, this memo is only intended to point you in the right direction.
In sum, under HIPAA, Sanjeevani EHR is required to: