In the world of healthcare, the acronym HIPAA (Health Insurance Portability and Accountability Act) gets a lot of ground time, but both its reach and why HIPAA compliance is so important go further than many realize.
For business owners, ensuring compliance with all applicable regulations is vitally important. And HIPAA is one of the most important regulations to consider. Even if you are not directly linked to healthcare, any business operation with access to PHI (patient health information), as well as any information created or collected in a medical record that has the ability to be used to identify a person, needs to be HIPAA compliant.
Essentially, HIPAA is a federal law in the United States that sets standards for protecting sensitive patient health information. Under HIPAA, covered entities must comply with privacy and security regulations for the purpose of maintaining confidentiality, integrity, and availability of PHI.
Covered entities include:
- Healthcare Providers: Any healthcare providers that transmit health information in electronic form, including hospitals, clinics, nursing homes, pharmacies, etc.
- Health Plans: Health insurance companies fall into this category. Additionally, HMOs, and company health plans that pay for healthcare, including Medicare and Medicaid.
- Business Associates: If you perform services on behalf of a covered entity, you are likely covered under the Business Associate category. This includes medical billing and coding companies, IT providers, legal firms, etc.
It’s important to note that though the business associates category broadens the umbrella of HIPAA, not all healthcare-related businesses are actually covered entities. For example, gyms, fitness centers, and spas may collect health information but as long as they don’t transmit it electronically, they are not covered entities under HIPAA.
The HIPAA Rules
HIPAA Privacy Rule
The Privacy Rule is a vital piece of HIPAA. That’s because the Privacy Rule is literally the base upon which every other HIPAA Rule is built from. So, even if your organization is not required to follow the provisions of the Privacy Rule (the Security Rule applies to more organizations than the Privacy Rule), understanding what they are – and their purpose – is still incredibly important.
The HIPAA Privacy Rule was established to create national standards to protect individuals in terms of their medical records and individually identifiable health information. It’s admittedly a pretty big deal. And it’s not just about outward informational protection. It also gives individuals rights over their PHI, including:
- The right to obtain a copy of your PHI
- Request corrections if you find any errors
- Transfer some or all of the PHI from a given record set to another provider
- Request a record of uses or disclosures of your PHI over the previous six years with the exception of certain authorized disclosures
Security Rule Requirements
The Security Rule includes safeguards we will discuss in the next section, as well as a very important general rule.
The General Security Rule stipulates that Covered Entities and Business Associates must:
- Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.
- Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted by the Privacy Rule.
- Ensure compliance with the Security Rule by workforce members.
The General rule covers a lot of ground, but further details in the Security Rule focus on a comprehensive HIPAA compliance program that covers administrative, physical, and technical safeguards.
Security Safeguards
Administrative safeguards are all about putting in place processes to ensure that PHI is protected. This includes risk management, employee training, and any business associate contracts.
The Administrative Safeguards really are the backbone of Security Rule compliance. This safeguard requires a Security Officer to be designated with the responsibility of making sure that workforce training is being accomplished (and is up to par), conducting risk analyses, and then ensuring that measures to reduce risks and vulnerabilities have been put into place. In addition, this role is also responsible for overseeing IT processes, and Business Associate Agreements.
Physical safeguards are exactly what they sound like. This aspect of the plan is solely focused on protecting the actual physical security of created and maintained PHI.
To give you some concrete examples of what this safeguard applies to, think about the security of your facility, who has access, and what controls are in place to prevent physical breaches as well as the standards and controls in place with any devices & media involved in your business operations.
Technical safeguards focus on the security of electronic PHI. Between the physical and technical safeguards, proper implementation means a very secure plan to keep PHI protected. This category includes control over access, audit, and transmission security – and brings us full circle back to your IT setup and proper employee training.
It is essential to ensure that your employees are properly trained on HIPAA regulations and that you regularly audit your systems to meet compliance standards.
By taking the necessary steps for compliance, you can protect the privacy and security of PHI and avoid penalties and fines. Understanding HIPAA compliance and your responsibilities therein is also an important part of responsible business ownership.
Join us for our next installment to get a deeper dive into HIPAA compliance, including a compliance checklist and what should be included in your HIPAA Risk Assessment.
Ensuring compliance does not have to be an effort you take on alone. If you need assistance – whether that’s connecting with professionals, sourcing solid advice, or getting ready for the next steps you need to take – we’re here to help. Reach out today.
