What does it mean to be in compliance with HIPAA - Are you doing it effectively?

The federal statute HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The complex law entails various requirements but the most important aspect that people relate to compliance is the HIPAA Privacy and Security Rule included in the law. 

This law was primarily enacted to help simplify the administration of healthcare, prevent healthcare frauds, and ensure workers receive health insurance plan benefits even after leaving jobs. 

Today, covered entities and their contracted business associates must operate with respect to compliance with HIPAA. Since its enactment, the law has been revised and expanded. Besides Health Insurance Portability, the law also emphasizes the protection of patient information privacy. The term patient information usually refers to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) of the patients. 

To be in compliance with HIPAA means you are properly acceding to the sets of rules and regulations that HIPAA entails. There is no specific point to achieve HIPAA Compliance. The application of HIPAA is a plan of action that must be developed, monitored and maintained. HIPAA consists of five rules, four of which are important for compliance. This article will explain the HIPAA Privacy and Security Rule, The Omnibus Rule and The Breach Notification Rule to help you understand what it means to be in compliance with HIPAA.

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national sets of standards to protect an individual’s medical record and other personal health-related information. This Rule applies to covered entities such as health plans, healthcare clearinghouses, and those healthcare providers that conduct standard electronic healthcare transactions. The Rule requires appropriate safeguard measures in place to protect the privacy of PHI and limits the use and disclosure of that may be made of such information without the patients' consent. Furthermore, The Rule grants patients the right to access their medical records, make copies and corrections upon request. 

The HIPAA Security Rule

The HIPAA Security Rule sets minimum standards that should be in place to protect the confidentiality, integrity, and availability of ePHI. It requires healthcare organizations to protect ePHI by implementing appropriate technical, physical and administrative safeguards, including allowing access to those people or software programs that need it to perform the required tasks. Breaking down the three subsections of the Security Rule:

Technical Safeguards: This safeguard protects ePHI and sets the standard to control technological access to it. It requires adequate measures taken to protect networks and devices from unauthorized access and data breaches. These measures include audit controls, access controls, integrity controls, transmission security controls, and authentication controls. 

Physical Safeguards: This safeguard focuses on measures established in work place’s physical structures to prevent physical thefts or loss of devices that contain ePHI. This includes controlling access to your facilities, security in your workstation and device and media control policies.

Administrative Safeguards: This safeguard requires the administration to take adequate measures to secure patient access to ePHI. It is the employer’s responsibility to train and educate staff members on new requirements or methods. It requires ensuring that the ePHI is accessed by authorized personnel only. It includes workforce security, contingency plans, information access management, evaluation, etc.

The Omnibus Rule

The Omnibus Rule is a combination of closely related final four rules. It mainly focuses on the implementation of the Health Information Technology for Economic and Clinical Health Act (HITECH). This Act promotes the use of electronic health records, increases accountability for non-compliance, regulates notification of the breach, and requires specific business associates of HIPAA covered organizations to comply with HIPAA. The Omnibus Rule also outlines that business associates must operate in compliance with HIPAA, and the rules surrounding Business Associate Agreements (BAAs). This is an agreement that must be executed between a business associate and covered entity or between two business associates; before any PHI or ePHI can be exchanged or transferred. 

The Breach Notification Rule

The Breach Notification Rule encompasses standards for covered entities and business associates to follow by providing a notification to HHS in case of a breach of unsecured PHI. It requires organizations to notify the affected individuals and in certain circumstances the media too. Breaches affecting 500 or fewer individuals must be notified within 60 days before the calendar year ends. Larger breaches involving 500 or more individuals must be notified within 60 days of uncovering.

To be in compliance with HIPAA also means that you value provider-patient confidentiality. When you value this confidentiality, it shows you have taken adequate steps to safeguard patients Protected Health Information (PHI). HIPAA compliance is a complex undertaking and the risk of non-compliance often stems from inadvertent mistakes. Resources like HIPAA Ready can help your organization become HIPAA Compliant.

Take assistance for achieving compliance with HIPAA

HIPAA Ready is a platform where you can perform regular compliance risk assessments by yourself. This HIPAA Compliance software contains a digital checklist of tasks, action plans, updated policy center and even training materials for your employees. This robust software can help you streamline your activities while remaining compliant in an effortless manner.

HIPAA is not an over and done checklist, rather a continual process where you develop, monitor and maintain the program. With HIPAA Ready you can create an ongoing training program and instill a culture of compliance within your organization.