When it comes to data privacy regulations like HIPAA compliance rules, they tend to be very detailed and can be difficult for the average person that’s not trained in data security to get through.
In today’s digital age, companies have all types of sensitive data being gathered, stored, and transmitted in electronic form, and these types of guidelines are designed to protect it against compromise.
The Health Insurance Portability and Accessibility Act of 1996 (HIPAA) was designed to improve the efficiency and privacy of the health care system by creating national standards for electronic health information and transactions.
HIPAA covers everything from access that patients have to their health records to the IT security steps that should be taken to protect them. Any businesses that deal with personal health information are subject to HIPAA compliance.
Non-compliance can be devastating for businesses, resulting in loss of client trust, fines, and more. In 2018, over $28.6 million in HIPAA fines were levied against health care providers
In this article, we’ll try to simplify HIPAA and provide a beginner’s guide to understanding the data security requirements of HIPAA, what information they apply to, and who’s responsible to comply with the regulation.
HIPAA Basics | An Overview of HIPAA Compliance
We’ll start off by discussing what type of information HIPAA covers, then get into the specific rules that organizations have to adhere to and discuss who is subject to HIPAA.
By the end you should have a basic understanding of the types of requirements that health care providers or others that work with them have under this regulation.
What Information Does HIPAA Cover?
HIPAA’s Privacy Rule protects just about all “individually identifiable health information” which is described as “protected health information” or “PHI.” You’ll see the acronym PHI referred to often in the HIPAA rules.
PHI includes information that relates to the following:
- A person’s past, present, or future physical or mental health
- The provision of heath care to an individual
- The past, present, or future payment for the provision of health care
- Any health information that can be used to identify an individual
Examples of the types of information protected under HIPAA are medical bills, lab results, and medical records.
Exceptions that are not covered by HIPAA include:
- Individually identifiable health information in a practice’s employment records
- Records covered by the Family Educational Rights and Privacy Act (FERPA)
HIPAA Rules Overview
It gets a little complicated when you’re trying to sort through the HIPAA rules, because there are several of them. However, they are designed to help keep the various areas of HIPAA compliance organized into different areas of compliance.
The HIPAA Privacy Rule limits the use and disclosure of patient information. If you accidentally leave a patient record open on a desk, and other patients are able to see it, that’s a violation of the HIPAA Privacy Rule.
Other things this rule establishes are the patients’ rights to access their medical records and the types of authorizations that need to be in place before PHI can be disclosed.
The Security Rule is the one that addresses electronic PHI and sets standards for protecting the confidentiality, integrity, and availability of that data. If you keep electronic records in non-encrypted format in an unprotected database, that would be a violation of the HIPAA Security Rule.
This rule sets forth standards for protection of PHI, through technical, physical, and administrative safeguards.
If you have a data breach and protected health information is compromised, the Enforcement Rule will tell you what you need to do as far as notification and what fines you may be subject to.
The rule has requirements for notifications of a breach to:
- The affected individuals
- The media
- The Secretary of the U.S. Department of Health and Human Services
The current rule requires notification of a data breach to the Secretary of the Department of Health and Human Services according to the following:
- A breach affecting 500 or more individuals, notification within 60 days
- A breach affecting less than 500 individuals, notification on an annual basis
The Omnibus Rule sets forth additional requirements of the Health Information Technology for Economic Clinical Health Act (HITECH), which further strengthen privacy and security of PHI.
Some of the areas this rule covers are communications used in marketing and fundraising, disclosures of student immunization records, and notices of privacy practices.
Who Has to Comply with HIPAA?
There are two main entity descriptions for those needing to comply with HIPAA. These include “Covered Entities” and “Business Associates.”
Covered Entities include:
- Health Plans
- Health care clearing houses
- Health care providers who conduct financial and administrative transactions electronically
A Business Associate is a person or entity that performs certain functions that involve the use or disclosure of protected health information. Business associates can be:
- CPA firms or attorneys that provide professional services to a health care provider
- An independent medical transcriptionist that provides services to a physician
- A consultant that performs utilization reviews for a hospital
So, basically anyone that has access to protected health information in the course of their work is required to comply with the HIPAA guidelines.
If you are serious about becoming HIPAA compliant, download our FREE HIPAA checklist
Take the Pain Out of HIPAA Compliance
ZZ Servers makes it easy for health professionals to navigate HIPAA rules by managing your practice’s IT security for one affordable, flat monthly rate. Ensure the security and efficiency of your network and stay in compliance without worry.