The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that, among other things, focuses on protecting the privacy and security of personal health information or “PHI”. This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI.
While inextricably linked, the HIPAA security regulation (compliance mandated by April 21, 2005) is distinguished from the HIPAA privacy regulation (compliance mandated by April 14, 2003) in that the security regulation applies to electronic storage and transmission of PHI ("ePHI"), compared with the privacy regulation which applies to all forms of PHI) and prescribes more detailed requirements for securing such data.
Scope and Applicability
While application of this policy to any sensitive data is considered "best practice" and should be considered by all areas of the City when storing or transmitting such information, it is only mandated for those areas the City has designated as HIPAA Covered Entities.
At Layton City, the Fire Department’s Emergency Medical Services and Ambulance billing functions are considered a HIPAA Covered Entity, specifically a health care provider that conducts certain transactions in electronic form. Layton City’s Group Health Plan, which is managed by the Human Resources Division, is also a Covered Entity, specifically a health plan. Any city offices or personnel that support these Covered Entities must also comply this policy.
Certain data is specifically excluded from coverage under HIPAA, most importantly:
(1) workers compensation records;
(2) employment records, except for health benefits records;
(3) information "de-identified" under HIPAA standards; or
(4) litigation wherein the City is alleged to have caused a physical injury or health issue.
The purpose of this policy is to establish and follow appropriate HIPAA Security Standards for Covered Entities within Layton City to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) received, maintained or transmitted.
Designation of HIPAA Information Security Officer
The Information Technology Manager shall function as the HIPAA Information Security Officer for Layton City. This position is responsible for the ongoing management of information security policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of all organizational healthcare information systems as mandated by HIPAA.
Duties of the Information Security Officer Include:
- Implementing, managing, and enforcing information security directives as mandated by HIPAA.
- Ensuring the ongoing integration of information security with the IT strategies and requirements of the City.
- Ensuring that the access control, disaster recovery, business continuity, incident response, and risk management needs of the City’s data systems are properly addressed.
- Providing security awareness and training initiatives to educate appropriate workforce about information risks.
- Performing ongoing information risk assessments and audits to ensure that information systems are adequately protected and meet HIPAA certification requirements
- Working with vendors, outside consultants and other third parties as needed to improve information security at Layton City.
- Leading an incident response team to contain, investigate, and prevent future computer security breaches.
Exceptions to this policy must be documented and submitted for approval to the City’s Information Security Officer who will consult with the City Attorney’s Office. Appeals of decisions shall be referred to the Management Services Director.
The Information Security Officer will conduct a thorough documented assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at least every two years and shall implement appropriate security measures sufficient to reduce risks and vulnerabilities. Such measures shall be implemented based on the level of risks, capabilities, and operating requirements of each Covered Entity.
Assessments will be made based on the rule titled “Security Standards for the Protection of Electronic Protected Health Information”, found at 45 CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known as the Security Rule, was adopted to implement the provisions of HIPAA.
The HIPAA Security Series is a series of 7 papers that will provide guidance from the Centers for Medicare and Medicaid Services (CMS) on the appropriate application of the Security Rule. These papers contain checklists, which may be used to guide and document the assessment process.