HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) – essentially, your medical record. HIPAA sets the standard for protecting sensitive patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II) require the U.S. Department of Health and Human Services
(HHS) to adopt certain national standards. These cover electronic health care transactions, and national identifiers for providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule covers the saving, accessing and sharing of medical and personal information for any individual. The HIPAA Security Rule outlines national security standards to protect health data created, received, maintained or transmitted electronically – also known as electronic protected health information (ePHI).
Meeting these standards? That’s compliance.
Is Hi-Tech Involved?
Yes; in more than one sense.
HIPAA tried to simplify the administration of electronic medical record technology, and other components. In addition, the Act specified a series of privacy tools to protect healthcare data.
Then, in 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed. This Act updated HIPAA rules, and provided federal funds for deploying electronic medical records (EMR) – also known as electronic health records (EHR). HITECH set out new rules for the protection and availability of medical records, which were now in digital form.
Who Needs to Comply?
YOU do, if you’re any of these:
#1. Anyone who provides treatment, payment and operations in healthcare. Such persons or bodies are described as Covered Entities (CE). This could include:
- a doctor’s office
- dental office
- clinic
- psychologist
- nursing home
- pharmacy
- hospital
- a home healthcare agency
- health plans
- health insurance companies
- health clearing houses (An organization that standardizes health information, e.g. a billing company that processes data from its initial format into a standardized billing format)
- HMOs (Group insurance that entitles members to services of participating hospitals, clinics, and physicians)
- company health plans and government programs that pay for health care
#2. Anyone with access to patient information – whether directly, indirectly, physically or virtually. Such bodies are known as Business Associates. An organization providing support in the treatment, payment or operations is considered a business associate (e.g. an IT company or a billing and claims processing company).
Other examples would include a document destruction company, a telephone service provider, accountant or lawyer. A business associate performs some type of service on a covered entity’s behalf. It does not form part of their workforce, and must maintain HIPAA compliance, in its own right.
Comply, How?
By passing a HIPAA audit. (Note: following instructions in the image at the right will NOT make you compliant.)
The audit is an analysis that helps establish an organization’s current state, and what steps need taking, to get the organization compliant. As part of the audit, a company must perform an evaluation, and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure.
These also need to be evaluated. Covered entities and third-party business associates are required to undergo these periodic HIPAA audits.
Between a covered entity and its related associates, a Business Associates Agreement should be in place. This is a standard document that clearly defines their respective roles and responsibilities. An integral part of the Business Associates Agreement should be the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards.
And, if You Don’t Comply?
There are penalties, for non-compliance. Some pretty stiff ones, actually. The HIPAA and HITECH Acts are administered by the Department of Health and Human Services (HHS) in the Office for Civil Rights (OCR). The OCR has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law, and write the rules and regulations.
Penalties are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records. As a simple example, this could involve an employee leaving unencrypted backup tapes with PHI in their vehicles, while parked off-premises. Or disclosing sensitive information on social media networks that could be personally identifiable.
Fines for violating HIPAA rules range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year.
In extreme cases, they can carry criminal charges, which could result in a prison sentence.
Ouch.
Indeed.
So, it’s in your best interest to ensure compliance.
In addition:
- Protect the availability, integrity and confidentiality of Personal Health Information (PHI)
- Have Business Associates Agreements with clients who have PHI
- Report any violations of PHI misuse to the OCR
Compliance is Vital to an Organization’s Survival
Many companies have, in the past, found themselves totally unprepared when it comes to audit time. This is no longer acceptable as security becomes a bigger focus year-on-year, with high profile incidences of data thefts and leaks being reported on a regular basis.
IT infrastructure is increasingly being hosted in the data center too and this causes headaches for auditing and compliance for some organizations. This means that it’s wise to choose vendors carefully and question the SLA and what it covers, auditing processes and access and the data center security.
Power Admin’s PA File Sight can help with HIPAA compliance. For more details, visit our press release at http://www.prweb.com/releases/hipaa-compliance/pa-filesight/prweb10883246.htm
Photo Credits:
corbettgm via Compfight cc
hyimted via Compfight cc
William Thompson
William Thompson is the Marketing Manager at Power Admin, a server monitoring software business in the Kansas City area. You can find him on Google+ and Twitter. William has been a professional in website design, digital marketing and 3D/graphic design for over 20 years.