You want to ensure HIPAA compliance to protect your patients’ personal medical information. But what exactly does this mean to you, the healthcare provider? We have the answers, so let’s take a step back and establish what HIPAA means for healthcare providers.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States. The act requires health care providers to safeguard protected health information (PHI) and electronically protected health information (ePHI) for patients.
Any organization that collects, stores, or processes patient information needs to be aware of HIPAA and how it impacts its operations.
The HIPAA Act does not cover all healthcare data or data handled by healthcare organizations-only protected health information (PHI).
Any health information that can be uniquely identified with a specific individual, in certain patient information, is protected health information.
The data that might be PHI include:
PHI data could consist of:
PHI, including EHRs, must be protected under HIPAA by covered entities. These covered entities include:
Additionally, HIPAA affects the business associates of the covered entities, who have access to PHI protected by the law.
Subcontractors, consultants, and technology providers are examples of business associates.
What can healthcare organizations do to ensure they are HIPAA compliant? In this section, we go over some of the must-dos and must-haves for healthcare organizations handling PHI.
Healthcare organizations must follow HIPAA privacy rules when collecting, storing, and processing PHI, for example. The law defines what PHI, covered entities, and business associates are.
Additionally, it discusses the situations where covered entities may disclose PHI without obtaining the individual's consent:
Understanding the HIPAA Privacy Rule is critical to how you comply with it:
The HIPAA Security Rule defines data security and cybersecurity for electronic health records. Covered entities and business associates must maintain three types of security measures:
Organizations are not required to comply with any specific security or privacy practices under the HIPAA Security Rule. In contrast, covered entities must determine which measures will be most suitable and appropriate to follow ((including penalties for noncompliance as a motivator).
It is required that organizations notify consumers if they become aware of unauthorized disclosure of PHI under the HIPAA Breach Notification Rule.
Security issues related to healthcare data include physical break-ins, theft of IT equipment, hacking, ransomware, sending PHI to the wrong recipients, and public discussion of PHI.
The HIPAA Breach Notification Rule specifies the following:
The HIPAA Omnibus Rule is introduced to manage several areas that had been overlooked by earlier updates to HIPAA.
It amended definitions, defined processes and guidelines, and developed the HIPAA compliance checklist to conceal Business Associates and their subcontractors.
Business Associates are organized as any individual or organization that develops, maintains or transmits Protected Health Information in the study of performing functions on behalf of a Covered Entity. The term Business Associate also contains contractors, consultants, data storage companies, health information organizations, and any subcontractors employed by Business Associates.
The Omnibus Rule amends HIPAA regulations have five key areas:
Following the course of the HIPAA Omnibus Rule, to be HIPAA compliant, Covered Entities must currently: