Understanding HIPAA Expectations

At its core, HIPAA is a set of national standards meant to safeguard the privacy and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, health record, Social Security number, or any part of a medical record.

Before we dive into HIPAA expectations that your business should be aware of, first we need to understand the two different classes of entities identified by HIPAA regulation.

• Covered entities (CE) are any health care provider, health care clearinghouse, or health insurance plan that transmits or creates PHI.
• Business associates (BA) are any organizations hired by a CE, whose job necessarily entails handling PHI. Common examples of BAs include cloud or physical storage providers, faxing services, shredding services, IT providers, practice management firms, and many more. However, a construction crew hired to paint your office is not considered a BA–even though there’s a chance they’ll encounter PHI while doing work, they are not hired to handle PHI. Keep this distinction in mind when considering organizations that may fall under the umbrella of HIPAA.

Both covered entities and business associates must be HIPAA compliant as per federal health care regulation.

These Are Your HIPAA Expectations

Now that you have an understanding of some HIPAA basics, here are the HIPAA expectations your business should implement in order to protect against federal fines in the event of an investigation.

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) puts together guidance to help health care professionals better understand their requirements under HIPAA compliance regulation.

One of the most important pieces of guidance that HHS OIG has put out is called The Seven Fundamental Elements of an Effective Compliance Program. This document outlines the steps that health care professionals can take to implement an effective compliance program within their organization. The Seven Elements of HIPAA compliance are:

1. Implementing written policies, procedures, and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action.

These are the very basic HIPAA expectations that your business will be held to in the event of a HIPAA audit or investigation. Note that this list does not state anything about the specific HIPAA standards that your business must meet–instead, it outlines actionable methods that you can implement in your business to address what’s expected of you under HIPAA regulation.

Effectiveness translates into creating a compliance program that’s tailored to the individual needs of your business. What’s effective for your business may not be the same as what’s effective for a 500-bed hospital. HIPAA compliance should give your business a way to keep your data safe, without causing undue burden.