A Quick Guide to HIPAA Compliance
HIPAA (aka the Health Insurance Portability and Accountability Act) is a regulation that was put in place by the United States Congress in 1996. The aim of this regulation is to attend to the changes in technology and the issues related to standards that were the result of these changes. Essentially, HIPAA defines rather specific rules associated with the protection of patient data, and many companies need to comply with it.
When an organization handles PHI (Protected Health Information) in any manner, compliance with HIPAA becomes mandatory. In order to ensure that your business becomes HIPAA compliant, let’s take a look at the four facets of compliance: the HIPAA Enforcement Rule, HIPAA Privacy Rule, HIPAA Security Rule, and the HIPAA Breach Notification Rule.
HIPAA Enforcement Rule
This rule establishes exactly how HIPAA is enforced, and the repercussions if a company is non-compliant. OCR (Office for Civil Rights) handles the enforcement process by investigating complaints whenever one is filed.
Upon acceptance for investigation of any given complaint, a notification is sent to both the company in question and the complainant. Subsequently, both parties are afforded the ability to provide information as it relates to the issue. The OCR then looks into the facts of the issue and makes a decision, deciding whether HIPAA rules have been broken. All entities covered by HIPAA are required by law to comply with the investigation.
HIPAA Privacy Rule
This rule protects the use of PHI and the required standards for individuals to comprehend and affect how their PHI is used by any given organization. The Privacy Rule establishes guidelines to ensure the protection of PHI, while leaving enough flexibility for healthcare professionals to utilize this information while caring for a patient. It essentially exists to provide privacy to individuals with regard to how their health information is utilized.
HIPAA Security Rule
The Security Rule establishes important safeguards that are required as a way to protect electronic PHI. This is information that exists in a digital form, and is often held or transferred electronically. In order to ensure the privacy of ePHI that exists, companies must be aware of a few crucial things:
- Protection of the confidentiality, integrity, and availability of ePHI
- Recognition and safety against identifiable threats
- Ensuring that banned use or disclosure of ePHI is protected against
- Making sure that every employed individual is compliant with HIPAA.
The desired result of this rule is to establish technical safeguards, administrative safeguards, and physical safeguards to ensure that ePHI is protected. This covers the gamut from encryption, to use of mobile devices, and utilization of risk assessments.
HIPAA Breach Notification Rule
The definition of a breach in the context of HIPAA is the use or disclosure of PHI in a way that compromises privacy or security. This rule establishes a method in which breaches should be managed.
If a breach occurs, the entity in question is required to notify the individuals affected, the OCR Secretary of Breaches, and occasionally the media. This notification must be in writing, and can be handled via email if the parties involved agree on that method. This notification must include a description of the breach, the information that has potentially been compromised, information on the investigation that is underway, contact information for the company under which the breach occurred, and a phone number to contact and discuss the details of the information that was involved. All of these steps must occur within 60 days of when the breach was discovered.
With a growing number of companies utilizing the internet and other technologies to deliver healthcare, HIPAA requires a fair amount of attention. HIPAA is a complicated and detailed, but with cyberattacks on the rise it is an crucial regulation to adhere to. In order to protect your business and your clients from breaches, it is extremely helpful to understand HIPAA and how it affects your organization. If you’d like to discuss HIPAA in more detail, or determine how it affects your business specifically, contact us at firstname.lastname@example.org.