When developing security procedures for remote workforce, the HIM director should reference which of the following?
A) privacy and security rule, state statutes and other federal statutes
B) privacy and security rule
C) security rule, state statutes, other federal statutes, compliance regulations
D) privacy and security rule, state statutes and compliance regulations
The Office for Civil Rights in the U.S. Department of Health and Human Services wants to hear from healthcare stakeholders about two components of the 2009 HITECH Act, which was amended this past year.
Nội dung chính
- Which of the following would provide the best support of an organization's efforts toward compliance with the security Rule quizlet?
- What are the 3 types of safeguards required by HIPAA's security Rule?
- Which of the following are physical safeguards according to HIPAA's security Rule?
- What should be the first step in the security Rule implementation process?
WHY IT MATTERS
OCR's request for information is meant to help the agency better understand how to support the healthcare industry’s implementation of
recognized security practices, officials say.
In addition, they say it will help inform better strategies to ensure that funds collected through OCR enforcement actions are disbursed to individuals harmed by HIPAA violations.
Specifically, OCR wants public feedback on two provisions of the HITECH Act: Recognized Security Practices and Civil Money Penalty and Settlement Sharing.
HITECH's Section 13412 requires HHS consider specific recognized security practices for covered entities – payers, clearinghouses, most providers – as well as their business associates when determining potential fines or other remedies for resolving potential violations of the HIPAA Security Rule. Public Law 116-321 went into effect when it was signed into law on January 5, 2021.
The aim is to encourage covered entities and business associates to do "everything in their power to safeguard patient data," say OCR officials.
OCR wants to know how covered entities and their associates are implementing these recognized security practices, and how they plan to demonstrate that they're in place. It also wants to learn more about any other implementation issues that should be clarified with future guidance or rulemaking.
Section 13410(c)(3) of the HITECH Act, meanwhile, calls on HHS to set up methodology by which patients harmed by potential violations of the HIPAA's privacy, security and/or breach notification rules could gain a percentage of any settlement money collected with respect to such offense. It requires OCR to base determinations of those penalty amounts on the nature and extent of the violation – and the harm resulting from it.
But HITECH doesn't define "harm." So the RFI wants feedback on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, and what methodologies for sharing and distributing money might be used.
THE LARGER TREND
The
request for information comes as cybersecurity threats proliferate and OCR's enforcements step up.
The agency says any health industry stakeholders seeking more information about the RFI, or who want to send comments to OCR, should visit the Federal Register to learn more.
It encourages patients and their families, HIPAA covered entities and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health IT vendors and government entities to offer feedback.
Comments must be submitted by June 6.
ON THE RECORD
"This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics," said OCR Director Lisa J. Pino in a statement.
"I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance," she added.
Twitter: @MikeMiliardHITN
Email the writer:
Healthcare IT News is a HIMSS publication.
On Jan. 5, 2021, the President signed into law H.R. 7898, which provides even more incentive for Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates to develop robust security compliance programs.
The new law amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the U.S. Department of Health and Human Services (HHS), when contemplating penalties for HIPAA-covered entities and business associates, to take certain security practices into account. Specifically, the HHS Secretary is required to consider whether the covered entity or business associate is able to adequately demonstrate that it had "recognized security practices" in place for at least the prior 12 months. If it does, it "may" result in early, favorable termination of audits, or mitigate other fines and penalties.
The law defines "recognized security practices" as "the standards, guidelines, best practices, methodologies, procedures, and processes" developed under:
- section 2(c)15 of the National Institute of Standards and Technology Act
- the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015
- other processes and programs developed under other statutory authorities that address cybersecurity
The law goes on to note that "[s]uch practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)." Nothing in the new provision gives HHS authority to increase fines under section 1176 of the Social Security Act or the length, extent or number of audits under section 13411. Interestingly, the new provisions also state that nothing in this particularly law subjects a covered entity or business associate to liability for "electing not to engage in the recognized security practices defined by this section." Conversely, nothing in the law limits the HHS Secretary's authority to enforce HIPAA or a business associate or covered entity's obligation to comply with the HIPAA Security Rule.
For more information about the HITECH ACT changes or HIPAA Security Rule, contact the author or another member of Holland & Knight's HIPAA and Healthcare Privacy practice.
Which of the following would provide the best support of an organization's efforts toward compliance with the security Rule quizlet?
Which of the following would provide the best support of an organization s efforts toward compliance with the security rule? The HIPAA security rule allows flexibility in implementation based on reasonableness and appropriateness.
What are the 3 types of safeguards required by HIPAA's security Rule?
The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical. Please visit the OCR for a full overview of security standards and required protections for e-PHI under the HIPAA Security Rule.
Which of the following are physical safeguards according to HIPAA's security Rule?
The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls.
What should be the first step in the security Rule implementation process?
The first step of any solution is determining what exactly needs to be fixed. Within the provisions of the administrative safeguards, covered entities as well as their business associates are required to perform a security risk analysis specific to their organization. What is a security risk analysis? Risk Analysis.