What is HIPAA, who needs to comply, and how do they do so? The Health Insurance Portability and Accountability Act (HIPAA) consists of three main rules that healthcare organizations must comply with.
These rules include the HIPAA Privacy (dictates the proper use and disclosure of patient information), Security (requires the confidentiality, integrity, and availability of patient information to be maintained), and Breach Notification (requires breaches affecting patient information to be reported).
Two types of healthcare organizations need to comply with HIPAA: covered entities and business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates include vendors that service covered entities that may come into contact with patient information (managed service providers, EHRs, software providers, and many more).
To comply with HIPAA, or be HIPAA compliant, these organizations must:
- Conduct annual risk analyses
- Implement remediation plans
- Have written policies and procedures
- Sign business associate agreements
- Conduct annual employee HIPAA training
- Implement incident detection and response methods
Quotes About HIPAA Compliance
“There are two key points that you must understand if you have to be HIPAA compliant. First, it’s a journey, not a destination. You must continue to conduct risk assessments, train employees, and update policies and procedures to reflect what you are doing to meet the seven fundamental compliance elements. Second, one size fits all doesn’t truly fit anyone. The law requires you to tailor your compliance strategy to your organization’s operation. Two practices with the same number of patients, in the same city, offering the same services may not run their practices in the same manner.” – Marc Haskelson, President and CEO, Compliancy Group.