(913) 396-8321

What is HIPAA Compliance?

What is HIPAA Compliance? Image

HIPAA compliance is essential for hospitals, physicians, chiropractors, dentists, ambulatory surgery centers, health plans, pharmacies and other healthcare service providers operating in the United States. An acronym for the "Health Insurance Portability and Accountability Act," HIPAA is federal legislation that became law in 1996 and requires that all healthcare practitioners who perform electronic billing (known as “covered entities”) to take certain measures that protect their patients' personal health information.

HIPAA also established that covered entities may contract with “business associates,” i.e. companies to help the covered entity perform specific functions authorized under the Privacy Rule that require access to ePHI, such as electronic billing, release of information, and supporting electronic medical record systems.

Overview of HIPAA Compliance

The legislation was eventually put into effect through different “Rules” that explain in specific details what a covered entity must accomplish in order to be considered compliant.

  • The Privacy Rule, which went into effect in April 2003, sets national standards for when protected health information (PHI) may be used and disclosed.  It also established specific patient rights that must be recognized across the nation.
  • The Security Rule went into effect in April 2005 and specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity and availability of electronic protected health information (ePHI).
  • The Breach Notification Rule, which went into effect in September 2009 requires covered entities and their business associates to notify affected individuals, the U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI.

Fortunately, the Security Rule does not dictate the same security measures for ALL sizes of covered entities.  To determine what works best in your case, you are required to consider four factors as they relate to your organization:

  1. Size, complexity, and capabilities
  2. Technical, hardware, and software infrastructure
  3. The costs of security measures
  4. The likelihood and possible impact of risks to ePHI

Complying with the Privacy Rule, Breach Notification Rule, and Security Rule is essential to protecting your healthcare organization from not only a fine for a HIPAA violation but from loss of reputation!

Why HIPAA Compliance is Important

So, why should you comply with HIPAA? Well, for starters it's the law. As revealed on the HHS website for HIPAA Compliance & Enforcement, healthcare providers and other covered entities are often cited for violating HIPAA. In April 2017, the Metro Community Provider Network (MCPN), for instance, agreed to pay $400,000 as part of a settlement for an alleged lack of security management processes to safeguard patient records. In February 2017, Memorial Healthcare System (MHS) signed a settlement agreeing to pay a staggering $5.5 million for noncompliance with proper audit controls that led to illegal access to 80,000 records.  In April 2017, CardioNet (a provider of mobile cardiac monitoring) signed a settlement recognizing that they failed to address known security issues related to their management of mobile devices. These are just a few examples of healthcare entities being hit with hefty fines for violating HIPAA.

Normally, most HIPAA violations result in civil penalties, such as fines and the implementation of a corrective action plan. In extreme cases, however, they can result in criminal penalties enforced by the U.S. Department of Justice. For example, if an individual at a covered entity or business associate knowingly discloses PHI for reasons of personal gain or to harm the patient in some way, that individual could face a criminal penalty of up to $250,000 as well as imprisonment up to ten years.

While these legal requirements and penalties are important to remember, HIPAA compliance is simply the right thing to do if you are providing healthcare services and handling some of the most sensitive information that individuals will ever share about themselves.  They need to have confidence that your organization is protecting their information with the same level of care that you provide for their health and wellbeing.  Violations of HIPAA will likely convey to patients that your organization is cavalier in handling their information and that they might be better served by going to other providers.  This perception may even lead to lawsuits being filed by those patients.

Choose Your Business Associates Wisely

As mentioned above, HIPAA allows covered entities to contract with a business associate.  These companies are obligated to follow almost all of the same regulations under HIPAA as the covered entity.  Before the company performs any HIPAA-covered activities on behalf of your organization, you must have them sign a “business associate agreement” which is a formal document explaining all of the company’s obligations under HIPAA.

Therefore, it is essential to choose your business associates wisely.  Allowing a company with poor HIPAA compliance practices to access your organization's data is a recipe for disaster. If the company fails to implement its own security measures, your patients' PHI could be in jeopardy of inappropriate access, use, or disclosure. Not only can the company be fined by HHS, but your organization can be fined if it knew about the company’s failures and did not act to either help them correct the issues in a timely manner or to terminate the agreement with the company.

Can you obtain a "Certification for HIPAA Compliance?

The simple answer is NO. There is no “certification” program provided by HHS or by any vendor in the healthcare marketplace.  Also, be very wary of any vendor that says, “We are HIPAA compliant!” because, again, no one can provide such an assurance.  Too often, those statements are made by salespeople with little or no understanding of the HIPAA Rules. Compliance with these complicated regulations require a serious effort and possibly some significant expenditures.  It just depends upon what safeguards and practices are currently in place. It is never too late to tighten up your compliance efforts!

This article was brought to you by tw-Security - Dedicated to helping healthcare organizations protect their information resources by creating and managing information security programs. For more information security news, updates, and more on our services, please visit our website.

Sep 21, 2017

follow us in feedly