Predictive Analytics – Optimization – Performance Management

Governance, Risk and Compliance for HIPAA


Electronic health records (EHR) are revolutionizing not only the collection and standardization of patient medical information but also providing unprecedented access to confidential patient medical information protected by HIPAA. EHR’s are a critical component in the nationwide effort to not only improve patient care and outcomes, but to reduce costs. The ultimate effectiveness of EHR’s to achieve these goals is centered on providing this unprecedented access to confidential patient medical information to any healthcare provider at anytime, anywhere.

Confidential patient medical information traditionally has consisted of ‘siloed’, self contained medical records consisting of hand written notes, hard copy printouts of lab tests, EKG results, radiology films and other information. Since this information was ‘siloed’ and self contained, typically to a folder in a physician office or hospital, compliance with HIPAA consisted of simply locking the file cabinet. Access to patient medical records was easily controlled, when access was required identification was produced and forms were completed and signed. Primary care physicians bore the greatest burden of risk and compliance, as they had the most “complete” patient medical record.

The EHR is facilitating the centralization of a patient’s complete medical record and history into a single electronic record that can be accessed by literally thousands of providers and support staff including physicians, nurses, therapists, clinical support and billing staff. The compromise of patient medical records is well documented with recent incidents of ‘celebrity’ medical records being viewed by individuals with access but no implicit or implied authorization under HIPAA.

HIPAA – Standards for Privacy

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of
certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the HIPAA of 1996.

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.

Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.

The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure.

Minimum Necessary Requirement

The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity’s business practices and workforce.

Blue Line Governance, Risk and Compliance Solution for HIPAA

Blue Line leverages IBM’s Open Pages GRC platform for Policy and Compliance Management. IBM OpenPages Policy and Compliance Management automates the entire policy management lifecycle, and helps ensure that compliance is achieved, risks are mitigated, and corporate policies and procedures are enforced.

Using a core, shared services and open architecture, OpenPages PCM automates the ongoing test, review, attestation and remediation process, while helping to identify similarities between regulations to reduce redundancy and duplication of effort.

Key Features:

• Single Data Repository
• Regulatory Library Management
• Multiple Views of State of Compliance
• Business Intelligence and Decision Support
• Microsoft Office and Smart Phone Integration
• Fully Configurable

To understand how Blue Line‘s Governance, Risk and Compliance Solution for HIPAA can help your organization, call us at (866) 589-3440, email us at or Request A Consultation here.  To learn more about our Healthcare industry products, visit our Blue Line Healthcare page here and our Home page here.  Download IBM white papers here:

IBM Open Pages PCM

IBM Open Pages PCM Reducing the Costs

IBM Open Pages PCM High Cost of Non Compliance