What exactly is HIPAA, and what does HIPAA compliance mean? Healthcare providers and their business associates are aware of the importance of maintaining HIPAA compliance. However, understanding the complete guidelines is not an easy or simple task.
Why was HIPAA enacted?
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in part to maintain the security and privacy of patient health information. The regulations implementing HIPAA were developed by the Department of Health and Human Services, and HIPAA compliance is enforced by the department’s Office for Civil Rights (OCR). Under HIPAA, medical records must be accurate and confidential, and they are required to be made readily available to individuals and medical providers.
What Does HIPAA Compliance Mean?
It is often necessary for medical entities to share information regarding patients. HIPAA is designed to ease that sharing while protecting the patient’s privacy. By creating standards for sharing patient information, patients were able to switch doctors, change insurance, etc., with the convenience of sharing records.
According to HIPAA, protected health information (PHI) is any demographic data that could identify a patient such as names, addresses, phone numbers, social security numbers, financial information, and medical records, to name a few.
Increases in EHR usage (electronic records/ePHI) created a need for additional regulations, which led to the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The HITECH Act strengthened the HIPAA Act concerning electronic records.
The following is not intended to be a comprehensive guide to HIPAA, but a brief overview of the main elements of the act. Medical providers must read and be familiar with the full text of HIPAA. Understanding HIPAA compliance requirements is a must! It is strongly recommended that providers have a third party involved in the development, implementation, training, and maintenance of the HIPAA regulations.
What are the HIPAA rules?
The rules have changed and been expanded since HIPAA was passed in 1996. Here are the main ones that medical entities need to be aware of today.
- HIPAA Privacy Rule. This rule sets the standard for patients’ rights to receive their medical data. Federal standards regulate the privacy of patient health information. Patients have the right to request their information. The medical provider’s standards must be written in their HIPAA policies and procedures and employees must be trained in them.
- Business Associates are responsible to (1) Prevent disclosure of PHI; (2) Provide the covered entity and the patient access to their records; (3) Notify the covered entity if a breach occurs; (4) Comply with the security rule; (5) Document any disclosures that occur.
- HIPAA Security Rule. The security rule involves the handling of electronic medical records and demographic information. Just as with the privacy rule, the standards need to be documented and employees must be trained in them. Within the security rule are the following main safeguards: (1) Technical: This includes all of the procedures required to keep electronic data protected. Some examples are the encryption of data, the procedures for logging out of workstations, and how to safely access electronic records during an emergency; (2) Administrative: These are the procedures and policies that explain how PHI is protected. This includes training for staff in the procedures they must follow; (3) Physical: This pertains to actual physical structures, such as computer equipment.
- HIPAA Breach Notification Rule. If a medical entity experiences a breach in patient privacy, there is a set of steps that must be followed. All breaches must be reported to the OCR. HIPAA breach disclosure requirements are specific and detailed, depending on the “nature” of the breach.
- HIPAA Omnibus Rule. This is an addendum that was added to HIPAA that all these regulations also pertain to business associates of the medical entities.
Who is required to be HIPAA compliant?
- Covered entities. Covered entities are defined by HIPAA as organizations that collect and transmit PHI. They can be healthcare providers, health plans and healthcare clearinghouses.
- Business associates. Organizations that work with covered entities are considered business associates. Some examples are billing companies, third party consultants and practice management firms.
What are the consequences of HIPAA violations?
There are HIPAA Breach Disclosure Requirements, and depending on the type of breach, the consequences may be rather dramatic for a clinic or hospital. Also the financial penalties for violations can be exorbitant. General penalties range from $10,000 to $50,000 per violation. Wrongful disclosures can go up to $50,000 and even imprisonment.
So what does HIPAA compliance mean for your clinic – 3 immediate steps.
This free HIPAA compliance checklist helps organizations to understand better exactly what does HIPAA compliance mean for them. Conducting a HIPAA risk analysis is clearly one of the first steps. A covered entity may also consider outsourcing its corporate compliance program.
There are many facets to the HIPAA regulations. Medical providers may find their best option is turning to outside consultants. Consultants are subject matter experts in compliance, and they will bring their expertise to the development, implementation, and training on HIPAA compliance.