Health IT and Electronic Health Activate your FREE membership today |  Log-in

Pabrai on HIPAA/HITECH Compliance

Jun 4 2010   1:15PM GMT

Updating HIPAA & HITECH Policies with PII

Posted by: Pabrai

The Policies and Procedures (§ 164.316(a)) requirement in the HIPAA regulation states that organizations will implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the regulation. An organization may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with regulation mandates.

The HITECH Act includes requirements for policies and procedures for complying with the Data Breach notification provision. In addition your organization – be it a covered entity or a business associate – may be required to also comply with State mandates for personal data or personal information of a resident of the State whose information you may manage or process.

Beyond PHI

As you review and update policies to comply with HIPAA, HITECH and State mandates, I would encourage you to not limit the scope of your policies to EPHI, or PHI. Go beyond and ensure that your policies address all Personally Identifiable Information (PII) that your organization comes into contact with or manages.

Reasonable and Appropriate

The NIST 800 66 Revision 1 document is an excellent place to start to better understand requirements for complying with HIPAA policies and procedures. Questions you need to address include:

  • Are reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule in place?
  • Are policies and procedures reasonable and appropriate given:
    • The size, complexity, and capabilities of the covered entity;
    • The covered entity’s technical infrastructure, hardware, and software security capabilities;
    • The costs for security measures; and
    • The probability and criticality of potential risks to EPHI?
    • Do procedures exist for periodically reevaluating the policies and procedures, updating them as necessary?

NIST 800 122 – A Critical Reference for Policies

As you look to revise and update your policies, you should also reference the NIST Special Publication NIST SP 800 122 which is focused on Personally Identifiable Information (PII). Given the multitude of information privacy and security regulations that covered entities and business associates have to comply with, it is best to set the dial tone in organizational policies to not be limited to EPHI, or PHI, but to cover all PII.

So when is the last time you updated your policies? Did you update it to address PII?

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: