What Exactly Does It Mean to Be HIPAA Compliant?
HIPAA compliance is a term that’s often heard more than completely understood. Most people will know that it generally refers to medical records and their accessibility and privacy, but not know exactly what that means or who it applies to.
HIPAA, which stands for Health Insurance Portability and Accountability Act, was enacted in 1996, and it includes several general guidelines on how a person’s protected health information (PHI) is handled.
Anyone that’s in the health industry – hospitals, doctors offices, nursing homes, testing laboratories, dentist offices, etc. – and those that provide services to them that would include handling PHI is subject to HIPAA guidelines.
HIPAA impacts a wide range of IT processes, including things like cloud storage and network security.
Companies that aren’t properly complying with HIPAA guidelines can face stiff penalties of up to $1.5 millionper year. Violations can also result in criminal charges and jail time.
HIPAA penalties can range from $100 to $50,000 per each violation or each impacted patient record.
Wondering what’s involved for your business if you have to comply with HIPAA? We’ll go through a high-level overview below.
The Basics of What HIPAA Compliance Means
The guidelines for HIPAA compliance cover a wide range of areas, all having to do with the safety and availability of a person’s health information that’s kept by medical entities or their providers.
Who Has to Comply with HIPAA?
HIPAA compliance pertains to the following types of businesses:
- Health plans
- Health care clearinghouses
- Any health care provider that transmits electronic health information
- Business associates that help carry out health care activities or functions
If a medical office has a 3rd party provider perform transcription of patient health records, then that transcription provider would be considered a “business associate” and be subject to HIPAA.
You can use this tool to see if you’re a HIPAA covered entity.
General HIPAA Rules
There are four rules that are included in HIPAA Compliance. These are:
- HIPAA Privacy Rule: This applies to covered entities, except business associates. This includes rules on patient access to their health records, privacy notices, and documentation of regulatory standards.
- HIPAA Security Rule: This rule applies to covered entities, including business associates. The rule covers data security protection of patient health records, physical security, and technology safeguards for data to ensure it’s not compromised.
- HIPAA Breach Notification Rule: This rule applies to covered entities, including business associates. It defines “Minor Breaches” and “Meaningful Breaches” and gives protocols for reporting each type.
- HIPAA Omnibus Rule: This rule applies to covered entities, including business associates. The rule mandates that Business Associate Agreements must be executed between a covered entity and a business associate or between two business associates before any PHI can be transmitted between them.
When it comes to technology and cybersecurity, the HIPAA Security Rule is one that most businesses worry about the most. If a data breach happens and it’s found that it was due to a violation of the Security Rule standards, that’s when companies generally face significant fines.
HIPAA Security Rule
The HIPAA Security Rule applies to electronic protected health information, not to information that’s transferred by writing or orally.
There are four key provisions to the HIPAA Security Rule to help guide businesses on how to properly protect PHI from unauthorized access.
- Maintain confidentiality, integrity, and availability of all electronic PHI that’s created, received, maintained, or transmitted.
- Have a system in place that can identify and protect against reasonably anticipated security threats or threats to information integrity.
- Provide protection against reasonably anticipated disclosures or unauthorized use of PHI.
- Make sure employees are following HIPAA compliance protocols.
The HIPAA Security Rule doesn’t tell organizations what tools to use to meet compliance guidelines, it just lays out what has to occur as far as protection. Covered entities can deploy whichever technological methods they like to ensure the guidelines are met.
Some of the main IT infrastructure areas that impact HIPAA compliance include:
- Risk Analysis: In order to put necessary PHI protections in place, companies have to know where in their network vulnerabilities may be. This is what a risk analysis does, it documents vulnerabilities so they can be addressed.
- Administrative Safeguards: This includes things like access management and securing access to PHI. Employee training is also a big part of administrative safeguards to ensure everyone knows what’s expected with HIPAA safeguards.
- Physical Safeguards: Keeping devices that hold PHI secured is important (e.g. using screen locks). Facility access control also falls under this category.
- Technical Safeguards: This includes the measures taken to secure your network and data, such as firewalls and advanced threat protection. Keeping your network monitored and audited is also important to ensure technical security.
Do You Need Help with HIPAA Compliance?
Our C Solutions team can take the burden of HIPAA compliance off your shoulders by helping you put systems in place to safeguard your data and processes.
Schedule a free compliance consultation today! Call 407-536-8381 or reach us online.