When it comes to understanding HIPAA compliance, there are many places you can go to receive guidance. But when it comes down to it, the regulation itself is the clearest place to start finding out what the actual HIPAA guidelines state, as defined by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
HIPAA Guidelines for Medical Offices and Business Associates
HIPAA guidelines are identified and defined in a series of interlocking regulations known as the HIPAA Rules. The HIPAA Rules include:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- HIPAA Omnibus Rule
There are several different types of HIPAA guidelines that you should be aware of, including HIPAA privacy guidelines and HIPAA security guidelines.
HIPAA privacy guidelines are defined in the HIPAA Privacy Rule. These HIPAA guidelines include national standards that all covered entities (defined as health care providers, health care clearinghouses, or health insurance plans) must address within their business. The HIPAA privacy guidelines include standards that are meant to safeguard the privacy of patient data, called protected health information (PHI) under HIPAA.
HIPAA privacy guidelines include rules for patient authorization, uses and disclosures of PHI, creating a Notice of Privacy Practices, and the use of PHI in marketing efforts.
HIPAA security guidelines are outlined in the HIPAA Security Rule. The HIPAA security standards are a set of HIPAA guidelines that outline the security safeguards that all covered entities and business associates must have in place to protect the confidentiality, integrity, and availability of PHI (read more about business associates here).
HIPAA guidelines for implementing the security standards mentioned above must address three key elements of the regulation. These HIPAA security standards include:
- Physical Safeguards: these are the safeguards that your business puts in place to protect the physical security of your offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.
- Technical Safeguards: these are the safeguards that you must put in place to protect the cyber-security of your business. Technical cyber-security safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data back-up.
- Administrative Safeguards: these are safeguards that you must put in place in order to ensure that staff members are properly trained in order execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.
HIPAA Guidelines Summary
At the end of the day, it’s important to remember the HIPAA guidance issued by HHS OCR must be strictly adhered to within your health care business. By complying with HIPAA regulation, you not only protect the privacy and security of your patients’ PHI, you also protect your business from HIPAA violations and potential fines that can result from non-compliance.