HIPAA stands for Health Information Portability and Accountability Act of 1996. It is a federal law requiring national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. It protects all “individually identifiable health information” held or transmitted by a covered entity or their business associate in any form electronic, paper, or oral.
What is a Covered Entity?
A covered entity is described as:
A health care provider – for example Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, and pharmacies
A health plan – Health insurance companies, HMOs, Company health plans, and Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
A health care clearinghouse – entities that process nonstandard health information into standard information
What is HITECH?
HITECH takes HIPAA regulations further with regulations specifically related to ePHI. HITECH was signed into law in 2009 to promote the adoption and meaningful use of health information technology. It addresses privacy and security concerns associated with the electronic transmission of health information. Several of its provisions strengthen the civil and criminal enforcement of the HIPAA rules.
What are the HIPPA Rules for Organizations?
HIPAA and HITECH laws apply to anyone that handles or comes in contact with PHI. Its purpose is to protect customers’ and patients’ Protected Health Information (PHI).
There are 3 main components to the HIPAA Rule:
- Administrative Safeguards: These are organization-wide actions and policies implemented to protect electronic health information and manage employee conduct.
- Physical Safeguards: These are meant to prevent physical thefts or losses of devices that contain patient records. They involve keeping devices secure, training employees, IT management of devices, and other hardware security measures.
- Technical Safeguards: These are controls put in place to protect networks and devices from data breaches.
Why is meeting HIPAA Standards Important?
Protecting confidential information between patients and providers is an important responsibility. The wrong access and improper safety measures can be harmful to both organizations and individuals because sensitive information can be used for malicious purposes. The HIPAA Security rule is meant to provide patients confidence that their medical information is private and confidential.
Cybersecurity breaches are another concern. A lack of cybersecurity rules in a healthcare organization can be financially risky. It can lead to large financial penalties and risk to patient identities. These breaches have become commonplace enough that the damage they cause is no secret. When an organization fails to protect their patient’s identities and private health information properly the damage is real. Not only do they lose the confidence of their customers, and have a damaged reputation but they are open to both civil money penalties and criminal penalties.
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
A risk analysis is an ongoing process in which an organization reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI.
- Implement appropriate security measures to address the risks identified in the risk analysis.
- Document the chosen security measures.
- Maintain continuous, reasonable, and appropriate security protections
How To Protect Your Customers & Your Business
HIPAA compliance can be complicated and not something that you want to risk when trusted with your patients’ private health information. At VanRein we can give you a free risk assessment so that you know where you stand in regard to HIPAA Compliance. Schedule a call with us today and find out if you are doing all you should to be HIPAA Compliant.