It’s hard to believe that the Health Insurance Portability and Accountability Act (HIPAA) was enacted twenty-five years ago. This important legislation codified protections to safeguard Protected Health Information (PHI) for individuals. PHI is defined as any information that includes personally identifiable information about health status, health care that was provided, and payment for that care. These national standards include HIPAA Privacy Rules and HIPAA Security Rules.
- The HIPAA Privacy Rules outline permissible uses and disclosures of PHI. Some covered uses include treatment and payment, limited public interest, and research initiatives. The rules also ensure patient access to their records and the opportunity to agree or object to disclosures.
- The HIPAA Security Rules require that covered entities safeguard all electronic health information from security threats, ensure that the information is accurate, confidential, and available, protect against inappropriate use or disclosure of data, and certify workforce compliance.
The requirements are subject to change to address changing technologies, cyberthreats, or public health matters like the COVID-19 pandemic.
The rules are lengthy and detailed, covering over 100 pages of policy and regulations. All employees and business associates of a required entity are required to ensure that PHI is protected in accordance with these rules. Confusion over HIPAA requirements not only potentially exposes your customers’ PHI, they also can cost your business thousands of dollars in penalties. Often the best approach is to partner with a qualified expert to ensure that your business is meeting the requirements.
Is Your Business a Covered Entity?
HIPAA states that a covered entity is any business with access to PHI. There are four categories of covered entities.
- Healthcare Providers: Doctors, nurses, hospitals, pharmacies, therapists are considered healthcare providers and must be HIPAA compliant.
- Healthcare Clearinghouses: Clearinghouses take the practice data in the form of PHI and prepare it before transmitting it to other entities. Medical billing services are HealthCare Clearinghouses.
- Health Plans: Health plans are organizations that pay for medical services or enroll people in insurance. They include but are not limited to healthcare insurance companies, Medicare, and Medicaid.
- Business Associates: These businesses are vendors or subcontractors that have access to PHI. This group may include technology consultants, medical equipment suppliers, transcriptionist services, answering services, translators, and data processing and transmission firms.
While it’s clear that healthcare providers and insurance companies would be required to be HIPAA compliant, vendors of these companies may also be required to be HIPAA compliant.
Four Basic Steps to Compliance
- Determine if your business is one of the covered entities. If your business provides healthcare, bills for services, pays for healthcare or contracts with the above you may be a covered entity.
- Determine what business activities, employees, and data are regulated by HIPAA. Don’t overlook the non-medical staff. Marketing, administration, and back-office employees may all have access to PHI. Ensure that safeguards are in place throughout the organization.
- Provide comprehensive HIPAA training to all employees. Every employee is a potential steward of client PHI.
- Ensure business associates are aware of their obligations and sign business associate agreements.
An important part of ensuring compliance is understanding common practices that may expose PHI.
- Reception providing information to a patient’s friends or family.
- A clinician leaving their computer without logging out.
- A field-based provider losing a laptop.
- Sharing passwords when staff are covering for each other.
- Emailing patient notes to oneself.
- Accessing data on personal devices.
- Throwing away paper files instead of shredding.
All violations must be reported. Violations are graded on a four-tier penalty structure.
- Tier 1: The covered entity was unaware of the problem and, exercising ordinary caution, was not likely to discover the issue.
- Tier 2: The covered entity should have been aware that there was an issue but was unable to prevent the violation with due diligence. The was no willful neglect. Willful neglect is a conscious failure or reckless indifference to the HIPAA rules and regulations.
- Tier 3: The violation was due to willful neglect, and an attempt has been made to correct the issue.
- Tier 4: A HIPAA violation was the result of willful neglect, and the covered entity has not attempted to correct the issue.
Prevention Is the Key to HIPAA Compliance
HIPAA violations can not only result in fines, but they also can be costly to mitigate and cause a loss in reputation. HIPAA compliance is good for your business. To prevent HIPAA violations, a business must incorporate these practices.
- Regular comprehensive assessments to identify risk and improve policies and protocols.
- Comprehensive employee training.
- Strong security policies and protocols.
- Effective management of physical records.
Contact Us Today to See How Atruent Partners to Ensure HIPAA Compliance
Atruent offers Compliance as a Service, a program that reduces the risk of HIPAA and other compliance violations. Services include regular comprehensive risk assessments, documented evidence of compliance, and employee training.
Atruent is a fully managed IT service company. We make it a point to understand your business and its operations structure and process and tailor our services and support to match your business needs.
Contact us today to learn more.