The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by the United States in 1996. This law defines how personal information maintained by healthcare industries should be protected from fraud or theft. It prohibits healthcare providers and businesses from disclosing protected information to anyone other than a patient or, with consent, the patient’s authorized representatives.
As hospitals, insurance companies and healthcare providers began using electronic records and technology to store personal medical information, HIPAA legislation was deemed necessary to protect patient medical information. While HIPAA privacy rules place restrictions on the healthcare industry to disclose health information without an individual’s consent, there are no restrictions on an employer or business to request these records from individuals.
What are the HIPAA rules?
- HIPAA Security Rule sets national standards for the protection of electronically protected health information, including how the data should be handled, maintained, and transmitted. This rule requires healthcare organizations to have administrative, physical and technical safeguards to secure private data.
- HIPAA Omnibus Rule enacted in 2013 defines the role of business associates not previously subjected to HIPAA rules and outlines the criteria for Business Associate Agreements.
- HIPAA Breach Notification Rule requires covered entities to notify the Office of Civil Rights in the event of a data breach affecting private health information. This rule distinguishes between minor breaches affecting fewer than 500 people and meaningful breaches affecting more than 500 individuals.
- HIPAA Enforcement Rule gives the Office of Civil Rights the power to investigate HIPAA complaints, conduct compliance reviews, perform education and outreach and levy fines up to $1.5 million for HIPAA violations.
HIPAA Compliance Checklist
If healthcare entities fail to secure a patient’s Protected Health Information (PHI) against data breaches, steep penalties and fines will be accessed. For medical providers to be compliant, these are points to consider:
- Determine who must comply with HIPAA privacy rules. These rules apply to practices by doctors, nurses, lawyers and insurance providers who have access to the PHI of individuals.
- Determine what data is subject to HIPAA guidelines. This data includes individually identifiable health information such as name, date of birth, date of death, contact information, Social Security number, medical records, photographs and biometric data.
- Determine what you can do with the data subject to HIPAA guidelines. A health care provider or plan may send copies of medical records to another provider or health plan only as needed for treatment or payment or with the permission of the individual. HIPAA also gives individuals the right to access their medical records and to keep the information private. While an employer may ask an employee for a doctor’s note or other information if they needed for sick leave, worker’s compensation, wellness programs or health insurance, an employer may not obtain that information directly from a healthcare provider without consent from the individual.
Most HIPAA violations are committed internally and usually stem from laxity or negligence in complying with HIPAA’s privacy rules. These violations include posting protected health information on the internet, discussing this information in public, office break-ins, cyberattacks, and data breaches.
Steps to Meet HIPAA Requirements
The Health and Human Services (HHS) department included a series of HIPAA rules to protect patient privacy and data. To be HIPAA compliant, a covered entity must meet the following requirements:
- Create privacy and security policies for the organization.
- Appoint a HIPAA privacy officer and security officer.
- Implement security safeguards.
- Conduct regular risk assessments and audits.
- Maintain agreements with associated businesses.
- Establish breach notification protocols.
- Document all HIPAA compliance efforts including privacy and security policies, risk assessments and audits, remediation plans, and staff training sessions.
Who in my Company is Responsible for Ensuring HIPAA Compliance?
HIPAA makes it mandatory for a covered entity to appoint an employee as HIPAA Compliance Officer. This may be an existing employee, or companies can opt to create a new position to meet this requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.
The duties of a HIPAA compliance officer will vary depending on the size of the covered entity and the volume of the protected health information. A HIPAA Compliance Officer must follow the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program.
Once a HIPAA compliance program has been developed, the Compliance Officer should document progress towards its implementation by creating a system that enables the officer to monitor the organization’s HIPAA compliance status. The system should allow the HIPAA Compliance Officer to prioritize efforts towards compliance and communicate priorities. The officer is responsible for developing and executing training programs to educate employees on HIPAA compliance and to monitor regulatory requirements.
Once the HIPAA Program is set, how to Ensure my Employees are Aligned with it?
Once a HIPAA enforcement officer is assigned, he or she should set standards and goals that employees should follow to be HIPAA compliant.
Right-Hand’s Compliance Readiness solution relies on a Machine Learning engine that automates and customizes the ability of your security information management team to develop, store, disseminate, increase awareness and drive behavior change for corporate policies. Combined with Training Readiness’s customized bite-sized learning approach, you will have everything you need when dealing with the HIPAA requirements.