Our Technology - HIPAA Compliance

 

HIPAA Security Standards and General Rules  

Individuals and Covered Entities are granted custody of PHI (Protected Health Information, specifically associated with an individual) to perform a service or task.  As such, they come under the regulatory requirements of HIPAA (Health Insurance Portability and Accountability Act of 1996) as a covered entity.  There are many HIPAA violation cases out there - whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more. If you’re looking for what the penalties and fines are for certain types of HIPAA violations, see the chart below:

 

VIOLATION TYPE MINIMUM PENALTY MAXIMUM PENALTY
Individual didn't know they violated HIPAA $100/violation; annual max of $25,000/repeat violations $50,000/violation; annual max of $1.5 million
Reasonable cause and not willful neglect $1,000/violation; annual max of $100,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect but corrected within time $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million
Willful neglect and is not corrected $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million

 

The chart below demonstrates how the Prevalent™ HIPAA Compliance Solution helps you adhere to regulatory requirements for electronic transfer of PHI.

 

HIPAA REQUIREMENTS

HOW Prevalent UTILITY ALLOWS DOCUMENTED COMPLIANCE

(1)Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. Use of a secure electronic method to transfer PHI from sender via interim custody and delivery.  Validate transfer of custody to authenticated recipient at each interval. Provide remote storage of PHI in secure fashion in an uncorrupted form; transmission is required via encrypted channel to a verified recipient.

(2) Protect against any reasonably anticipated threats or hazards to the security of such information.

This specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information;

1. Prevalent Authentication is required to access any secured data on the system. 

2. Each data exchange is verified by the system during a documents transfer of custody and summarily applied to an accessible audit trail.  This dynamic authentication method is established by the creation and use of a personal password system including generation of temporary passwords to assigned known recipients. 

3. A timed "log out" from the work station and communication link is included to protect against unauthorized system access at defined intervals or by manual exit. 

4. The communication system provides automatic virus filtering and updating; Spam filtering; spyware removal on demand.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. The Prevalent work communication system requires user authentication upon each timed entrance to the secure communication system.
(4) Ensure compliance with this subpart by its workforce.

If the custody is held by or communication is done by other than a sole practice business associate:

A sanction process can be established by the System Administrator to the covered entity; compliance is under purview of entity designated "System Administrator". Executed at the direction of the System Administrator.

(b) Flexibility of Approach.  
(1)  Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

* If the regulations change, the business associate must modify activities to comply. Prevalent implements the communication changes – The entity is responsible for 'work station' implementation.

* Work procedures must be adaptable to evolution of HIPAA regulation with or without need for software upgrades to individual user terminals or computers. Adaptations are implemented throughout the system to all users.

* Changes or modification of HIPAA regulation are implemented for all client users. 

(2) In deciding which security measures to use, a covered entity must take into account the following factors:  
(i)  The size, complexity, and capabilities of  the covered entities How scalable is the communication system?  Prevalent is scalable to well in excess of 100,000 client users per Domain.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.  Prevalent does not rely on client hardware or software and are the updates integrated in a timely manner established specifically for this purpose?
(iii) The costs of security measures Prevalent costs are reasonable and customary for the market without undue hardship to the covered entity and business associate
(iv) The probability and criticality of potential risks to electronic protected health information The Prevalent system reduces the risk of loss probability with identified controls of access and untraceable dissemination. Access is limited; transmissions are auditable; receipts are auditable; users are authenticated and identifiable.
164.308 Administrative Safeguards.  
A covered entity must, in accordance with 164.306: Covered entities and their business associates must  conform to 164.306
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. Prevalent security procedures are implemented and designed to detect and record attempts at unauthorized access and immediately notify network administrators of excessive password violations, attempted transfer of computer viruses, containment of potentially harmful files and renders activities to a security log.  Individual tools are made available to each user for the detection and removal of viruses, spyware and other compromising software.
(A) Risk analysis (Required). Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The Prevalent communication network:  allows only authenticated users; provides continuous encryption of internal and external transmission of PHI; conduct daily modification of intrusion and invasion by outside parties by conducting modification of code algorithms to negate intrusion. 
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a)

* Prevalent require two levels of authentication initiate user identification; multi-challenge verification to change password.

* The use encryption code; application of processing algorithms, virus filters, and secure firewall are updated no less than once per day. 

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. A sanction policy must be established by the business associate or covered entity on the communication system – termination or suspension is established by entity "system administrator".  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures. that are in concert with HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges of use.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Prevalent provides system activity review under an "audit trail" by retained history of "secure" transmissions outside the system as well as equal history transmissions within the system.
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. The entity designates their "System Administrator" who becomes the assigned responsible party.  This system administrator has access to review, modify or suspend user privileges.
(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Specific access is authorized by the System Administrator.  Non Access and Sanction policy is established by the covered entity – termination or exclusion is established by entity "system administrator".  Authorized access requires two levels of authentication initiate client user identification; dual identity verification to change password
(ii) Implementation Specifications:  
(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Authorization is addressed in (2) & (3)(i)(a)(4)
(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. System Administrator establishes clearance procedure and authorizes access to system. Individual client users self administrate.
(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or required by paragraph (a)(3)(ii)(B) of this section.

* Multiple entities and business associates working together must have a Non Access and Sanction policy is established in behalf of the covered entity – termination or exclusion is established by entity "system administrator". 

* Authorized access to must require two levels of authentication initiate client user identification; dual identity verification to change password.

* System Administrator must have authority to deny access to any user.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of the business associates that are in concert with HIPAA. 

* Violation of those policies and procedures constitutes suspension of privileges.

(4)  (i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part The System Administrator must implement policies and procedures are consistent with subpart E.
(ii) Implementation Specifications:  
(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Prevalent allows "blocking" from unauthorized access by the "larger organization".

 

 

 

 

 

 

 

Prevalent, Inc. a subsidiary of Axcension, Inc.

For more information or to see a demo of our product please contact us today.

14090 Southwest Freeway, Suite 300, Sugar Land, Texas 77478    l    (832) 413-5990  contactus (@) prevalenthealth.com

 

 
 
   

 

Home   l   Our History   l   Executive Board   l   Our Clients   l   Investor Relations   l   HIMS-Hospital Information Management System

EHR-Electronic Health Record   l   Medical Billing-Institutional   l   Medical Billing-Professional   l   Server Hosting-Database Redundancy

Claims Analytics   l   Medical Necessity Validation    l    Revenue Integrity Analysis    l    RAC Audit Risk   l   Meaningful Use Analytics

Insurance Verification   l   ABN Verification   l  Revenue Recovery Opportunity   l   ICD-9 Analytics   l   ICD-10 Analytics   l   Data Migration

Enterprise Datacenter   l   Cloud Based Hosting   l   Microsoft Environment   l   HIPAA Compliance   l   GLB Compliance   l   HITECH Compliance

Hospitals   l   Clinics   l   Physicians   l   ASCs-HOPDs   l   Resellers   l   Referral Partners   l   Strategic Vendors/Partners   l   Contact Us

 

 

 

Prevalent Copyright 2008-2014
All Rights Reserved