What is HIPAA Compliance?

What is HIPAA Compliance?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act of 1996. This
specifies laws for the protection and use of Personal (or Protected) Health Information
(PHI) - essentially, your medical record. HIPAA sets the standard for protecting sensitive
patient data. The Administrative Simplification provisions of the Act (HIPAA, Title II)
require the U.S. Department of Health and Human Services (HHS) to adopt certain national
standards. These cover electronic health care transactions, and national identifiers for
providers, health plans, and employers.
Physical, network, and process security measures are involved. The HIPAA Privacy Rule
covers the saving, accessing and sharing of medical and personal information for any
individual. The HIPAA Security Rule outlines national security standards to protect health
data created, received, maintained or transmitted electronically - also known as electronic
protected health information (ePHI).
Meeting these standards? That's compliance.
Is Hi-Tech Involved?
Yes; in more than one sense.
HIPAA tried to simplify the administration of electronic medical record technology, and
other components. In addition, the Act specified a series of privacy tools to protect
healthcare data.
Then, in 2010, the Health Information Technology for Economic and Clinical Health Act
(HITECH) was passed. This Act updated HIPAA rules, and provided federal funds for
deploying electronic medical records (EMR) - also known as electronic health records
(EHR). HITECH set out new rules for the protection and availability of medical records,
which were now in digital form.
Who Needs to Comply?
YOU do, if you're any of these:
#1.
Anyone who provides treatment, payment and operations in healthcare. Such persons or
bodies are described as Covered Entities (CE). This could include:
 a doctor’s office
 dental office
 clinic
 psychologist

 nursing home
 pharmacy
 hospital
 a home healthcare agency
 health plans
 health insurance companies
 health clearing houses (An organization that standardizes health information, e.g. a
billing company that processes data from its initial format into a standardized billing
format)
 HMOs (Group insurance that entitles members to services of participating hospitals,
clinics, and physicians)
 company health plans and
 government programs that pay for health care
#2.
Anyone with access to patient information - whether directly, indirectly, physically or
virtually. Such bodies are known as Business Associates. An organization providing support
in the treatment, payment or operations is considered a business associate (e.g. an IT
company or a billing and claims processing company).
Other examples would include a document destruction company, a telephone service
provider, accountant or lawyer. A business associate performs some type of service on a
covered entity’s behalf. It does not form part of their workforce, and must maintain HIPAA
compliance, in its own right.
Comply, How?
By passing a HIPAA audit.
The audit is an analysis that helps establish an organization’s current state, and what steps
need taking, to get the organization compliant. As part of the audit, a company must
perform an evaluation, and undergo periodic evaluations once a year at minimum. As
technology changes, different components are added to an organization’s infrastructure.
These also need to be evaluated. Covered entities and third-party business associates are
required to undergo these periodic HIPAA audits.
Between a covered entity and its related associates, a Business Associates Agreement
should be in place. This is a standard document that clearly defines their respective roles
and responsibilities. An integral part of the Business Associates Agreement should be the
assurance that businesses will take proper steps to implement the appropriate
administrative, physical and technical safeguards.
And, if You Don't Comply?

There are penalties, for non-compliance. Some pretty stiff ones, actually. The HIPAA and
HITECH Acts are administered by the Department of Health and Human Services (HHS) in
the Office for Civil Rights (OCR). The OCR has the right to enforce, audit, fine and charge
companies and individuals for violations of the Act. They interpret the law, and write the
rules and regulations.
Penalties are incurred if PHI (or ePHI, Electronic Personal Health Information) is released
to the public in unencrypted form of more than 500 records. As a simple example, this
could involve an employee leaving unencrypted backup tapes with PHI in their vehicles,
while parked off-premises. Or disclosing sensitive information on social media networks
that could be personally identifiable.
Fines for violating HIPAA rules range from $100 to $50,000 per violation (or per record) up
to a maximum of $1,500,000 per year.
In extreme cases, they can carry criminal charges, which could result in a prison sentence.
Ouch.
Indeed.
So, it's in your best interest to ensure compliance.
In addition:
 Protect the availability, integrity and confidentiality of Personal Health Information (PHI)
 Have Business Associates Agreements with clients who have PHI
 Report any violations of PHI misuse to the OCR
Compliance is Vital to an Organization’s Survival
Many companies have, in the past, found themselves totally unprepared when it comes to
audit time. This is no longer acceptable as security becomes a bigger focus year-on-year,
with high profile incidences of data thefts and leaks being reported on a regular basis.
IT infrastructure is increasingly being hosted in the data center too and this causes
headaches for auditing and compliance for some organizations. This means that it’s wise to
choose vendors carefully and question the SLA and what it covers, auditing processes and
access and the data center security.

What is HIPAA Compliance?

More Related Content

What's hot

Viewers also liked

Similar to What is HIPAA Compliance?

Recently uploaded

What is HIPAA Compliance?