The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets national standards for the privacy, security, and transmission of individually identifiable health information.
It establishes penalties for violations by covered entities and gives patients an array of rights with respect to their own health information.
HIPAA applies to healthcare providers who conduct certain standard transactions electronically in connection with certain healthcare operations.
The law also requires these same entities to comply with National Institute on Standards & Technology (NIST) Special Publication 800-53 Revision 4 Privacy Controls if they are storing or transmitting electronically protected health information (ePHI).
In this article, we will discuss the basics of HIPAA compliance and what it means for healthcare providers.
This will be useful to those of you who may not know much about HIPAA and would like to understand it more or anyone that needs a refresher course on the topic.
What is required by law?
The HIPAA Privacy Rule, which became effective in 2003, gives patients rights over their own medical records and control over how their personal health information is used and disclosed by healthcare providers.
The HIPAA Security Rule (for better security of ePHI) became effective in 2005, establishing national standards for electronically protected health information (ePHI).
Furthermore, the HIPAA Privacy and Security Rules require a number of administrative, physical, and technical safeguards for protecting ePHI.
Security standards address access control, integrity, confidentiality, person or entity authentication, as well as transmission security.
For those organizations engaging in specific electronic transactions (e.g., billing claims electronically), covered entities must implement additional transaction-specific safeguards as required by HIPAA.
If you own a company dealing with health information and wish to become HIPAA compliant, you must be familiar with and follow all HIPAA guidelines and standards that pertain to your industry.
These include, but are not limited to the Administrative Safeguards (security management), Physical Safeguards (physical access to data), Technical Safeguards (software), and Organizational Controls (policies/procedures).
The basics: What do I need to do to be HIPAA compliant?
HIPAA compliance means having a comprehensive and systematic approach to security in your organization.
For example, you may need to create a security policy, implement access controls on your data, regularly monitor your networks for potential risks, and much more.
You can use the HHS’s Self-Assessment tool to help you figure out what actions your company should take in order to become HIPAA compliant.
Who does this impact?
As an employer or company owner, HIPAA compliance is important to you because it affects your employees.
All companies that use electronic means to store or transmit any type of health information are required by federal law to be HIPAA compliant.
This includes organizations that engage in standard transactions, even if they do not conduct electronic transactions with patients (e.g., billing electronically).
For patients, HIPAA compliance is important in terms of gaining access to your own health records.
HIPAA grants patients the right to obtain a copy of their medical record and know how it’s being used or shared by others with permission.
You can be fined up to $50,000 per violation (it does not mean the money goes directly to you), so it is always best to be aware of your rights under HIPAA.
What constitutes a violation?
One of the most common violations for companies and individuals alike is sending an email with PHI (protected health information) attached.
If you attach documents containing PHI to an unencrypted email, you can be fined $100 per document. So, if you have 10 patients with their information in an email, this could translate to a $1,000 fine.
To avoid these hefty penalties for violations, be sure to handle PHI in a safe and secure manner.
What does this mean for my business in regards to HIPAA?
If you deal with health information in any way, you must be HIPAA compliant.
This means that your organization can never store or transmit PHI (protected health information) without following HIPAA guidelines and standards.
If they do not follow these standards and someone hacks into your company’s private files, the company can be fined and sued by those whose data has been breached.
In all cases, HIPAA requires your business to secure its customer’s health information appropriately.
Failure to do so may result in hefty fines from the Department of Health and Human Services (HHS) as well as lawsuits from those who feel they have been put at risk by your company.
For this reason, HIPAA compliance is of utmost importance to business owners, especially those who deal with PHI on a regular basis.
In order to be HIPAA compliant, you must have a comprehensive and systematic approach to security in your organization.
For example, you may need to create a security policy, implement access controls on your data, regularly monitor your networks for potential risks, and much more.
You can use the HHS’s Self-Assessment tool to help you figure out what actions your company should take in order to become HIPAA compliant.