What is HIPAA Compliance?
HIPAA Compliance: The U.S. Department of Health and Human Services is responsible for creating and issuing new standards regarding the use or exchange of PHI. The basic premise is any healthcare provider or business associate must be HIPAA-compliant which means that he must be able to show due diligence in their attempt to comply with the HIPAA Security and/or Privacy Rule. The and/or for Privacy is for Business Associates who may only have to comply with the Security Rule and only parts of the Privacy based on the job they are performing for the Covered Entity.
Multiple rule changes and expanded regulations has made it much more complex to become HIPAA-compliant. Recent developments that have aided to the difficulty to comply are the The American Recovery and Reinvestment Act 2009 and the 2013 HIPAA Omnibus Rule. The ARRA has gained prominence owing to the presence of the Health Information Technology for Economic and Clinical Health or the HITECH Act within it. These law changes including the recently approved Omnibus rule will require Covered Entities to perform audits and track more and more HIPAA compliance information to be able to say that they are HIPAA Compliant.
The HIPAA Act of 1996 has set strict standards regarding a patient’s Protected Health Information (PHI) as a part of its Privacy Rule regulations.
HIPAA Compliance for Covered Entities
This part of the rule addresses all issues concerned with saving/accessing/sharing medical & personal information of an individual. The concept of a Covered Entity is at the core of Privacy Rule regulations. All Healthcare Providers and Health Plans are called Covered Entities.
However, this is a very basic definition, as the realm of a Covered Entity implies to all Business Associates that are involved in accessing/sharing an individual’s medical health information. A Business Associate represents all persons or organizations that are involved in the direct functioning of a Covered Entity or act on behalf on a Covered Entity. However, it does not involve the employees of a covered entity. For example, the clerical staff at a healthcare center is not regarded as a Business Associate’. However, an outsourcing firm that is handling medical billing on behalf of the medical facility is a Business Associate, i.e. it is bound to follow HIPAA compliance guidelines.
This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and Business Associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in HIPAA compliance.
The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
The physical and technical safeguards are the road map to successful HIPAA compliance.
- Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
- Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
- Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
- Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
- Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.