BE HIPAA AND HITECH COMPLIANT

WHAT IS HIPAA?

Health Insurance Portability and Accountability Act of 1996 regulates the use and disclosure of Protected Health Information (PHI), particularly applicable is the electronic PHI in modern healthcare systems. In addition to the regulation, the law establishes security and privacy standards for PHI, ePHI, and Electronic Data Interchange (EDI) of health information.

HOW ARE HITECH AND HIPAA RELATED?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened the civil and criminal enforcement of HIPAA rules. For instance, non-compliant organizations can be fined from upwards of $250,000 to $1.5 million and about 10 years of imprisonment under the 42 U.S. Code & 1320d–6. With all the penalties and external costs, also comes the loss of reputation and customer trust.

WHAT CAN YOU DO?

Don’t waste any time, protect yourself.

PROTECT… HOW?

Clarabyte can help you stay protected, comply with the appropriate standards in accordance with HIPAA, and reduce the ever-expanding liability. One of the major issues with IT implementation is the disposal of decommissioned IT assets, which also must comply with HIPAA and HITECH. There are specific equipment disposal and data erasure requirements that you must follow under the 45 CFR 164.310 – Physical safeguards. The keys requirements are shown below:

Physical safeguards – 45 CFR 164.310

(d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronically protected health information into and out of a facility and the movement of these items within the facility.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronically protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for the removal of electronically protected health information from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronically protected health information, when needed, before the movement of equipment.

HOW WE HELP WITH EACH SPECIFICATION?

(d) (1) Standard: Device and media controls. We will work with you to create the appropriate policies and procedures for receipt and removal of media containing PHI.

(2) (i) Disposal. We will primarily assess your devices and drives to determine the secure data management steps with ClaraWipe. Then, we will layout the disposal plan for your IT assets.

(ii) Media reuse. We provide in-house secure data destruction so you are first and foremost compliant with data erasure requirements. Then we can help you create a re-commerce plan for your IT assets. Check out Clarabyte Complete for more information.

(iii) Accountability. Our automated audit trail at all steps of the process provides documentation of all the processes and reduces your liability with accountability in check.

(iv) Data backup and storage. We can help direct you to the proper backup of all ePHI.