Managing HIPAA Expectations
When it comes to HIPAA compliance, federal regulators have a series of requirements that they will use to assess your business in the event of a HIPAA investigation. You can best understand these HIPAA expectations with this guide that we’ve put together specifically for health care professionals just like you.
Even though federal HIPAA regulation can seem confusing, there are several key points you can remember to help simplify your compliance.
Understanding HIPAA Expectations
At its core, HIPAA is a set of national standards meant to safeguard the privacy and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including name, address, health record, Social Security number, or any part of a medical record.
Before we dive into HIPAA expectations that your business should be aware of, first we need to understand the two different classes of entities identified by HIPAA regulation.
- Covered entities (CE) are any health care provider, health care clearinghouse, or health insurance plan that transmits or creates PHI.
- Business associates (BA) are any organizations hired by a CE, whose job necessarily entails handling PHI. Common examples of BAs include cloud or physical storage providers, faxing services, shredding services, IT providers, practice management firms, and many more. However, a construction crew hired to paint your office is not considered a BA–even though there’s a chance they’ll encounter PHI while doing work, they are not hired to handle PHI. Keep this distinction in mind when considering organizations that may fall under the umbrella of HIPAA.
Both covered entities and business associates must be HIPAA compliant as per federal health care regulation.
These Are Your HIPAA Expectations
Now that you have an understanding of some HIPAA basics, here are the HIPAA expectations your business should implement in order to protect against federal fines in the event of an investigation.
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) puts together guidance to help health care professionals better understand their requirements under HIPAA compliance regulation.
One of the most important pieces of guidance that HHS OIG has put out is called The Seven Fundamental Elements of an Effective Compliance Program. This document outlines the steps that health care professionals can take to implement an effective compliance program within their organization. The Seven Elements of HIPAA compliance are:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
These are the very basic HIPAA expectations that your business will be held to in the event of a HIPAA audit or investigation. Note that this list does not state anything about the specific HIPAA standards that your business must meet–instead, it outlines actionable methods that you can implement in your business to address what’s expected of you under HIPAA regulation.
Effectiveness translates into creating a compliance program that’s tailored to the individual needs of your business. What’s effective for your business may not be the same as what’s effective for a 500-bed hospital. HIPAA compliance should give your business a way to keep your data safe, without causing undue burden.