HIPAA Compliance: Addressing Security, Data Privacy and Accessible HealthcareApril 13, 2015
HIPAA is a movement, not just compliance.
It was designed to make healthcare in the U.S. more accessible, while keeping patient data secure and administrative costs controlled. It is a necessary law that protects patient’s confidentiality and medical information from being disseminated or used in ways not allowed by law.
Still, given the number of rules that follow HIPAA, it can be an onerous task for organizations to maintain strict compliance. It’s especially difficult given the fact that most organizations have a need to contract with outside parties to deliver their services. This makes compliance even more difficult — unless your organization follows strict protocol and has controls in place when working with outside vendors.
The following outlines what the law entails, along with a breakdown on who is required to be compliant, how HIPAA is enforced, and what you can do to keep your organization from being penalized.
What Is HIPAA?
President Bill Clinton signed the Healthcare Industry Portability and Accountability Act into law in 1996. The primary goal of the law is to streamline the administrative cost of healthcare, while simultaneously making it easier for people to access medical insurance and keep their data secure.
HIPAA is broken into two main sections:
Title I of HIPAA
Keeps workers and their families protected from losing health insurance when they change or lose their employment.
Title II of HIPAA
Mandates a national standard for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
Who Needs To Be HIPAA Compliant?
Organizations bound by HIPAA are considered “covered entities” and are required to adhere to strict privacy standards, even when contracting with outside service providers, collectively known as “business associates”.
Covered entities fall into the following categories:
- Nursing Homes
- Health Insurance Companies
- Company Health Plans / HMOs
- Government programs that pay for healthcare
- Flexible Spending Accounts
- Entities that process health information considered non-standard that they receive from a separate entity (i.e., standard electronic format or data content or vice versa)
- Billing Services
- Repricing Companies
- Community Health Management Information Systems
Any organization or individual defined under HIPAA as a covered entity is required to keep patient data private and secure, and give patients certain rights when it comes to their medical information. Learn more about how our Partner program with Seccuris helps keep your data safe
A business associate is defined as any of the following:
- Data center providers
- Hosting Companies
- Managed Service Providers
- SaaS Companies
- CRM Companies
- Accounting Services
- Legal Services
- Attorneys with access to medical records
- Business Services
- Claims Processing
- Consulting Services
- Medical Transcription Services
- Document Destruction
- Records Management
How Is HIPAA Enforced?
HIPAA is governed and enforced by the Department of Health and Human Services (HHS), through the Office for Civil Rights.
Privacy and security complaints are addressed through investigation, compliance review and ongoing education. In more severe cases, the OCR coordinates with the Department of Justice when it is suspected that a criminal violation has occurred.
What Happens If You Violate HIPAA
In February 2009 a revision to the Social Security Act was put into effect that established a number of violations and penalties that increased minimum penalties for each violation.
Penalties are categorized into two separate groups:
- Civil monetary penalties
- Criminal penalties
The severity of the violation is what determines how the incident will be pursued by the OCR. Minor individual offenses are not considered criminal, and at its lowest level can potentially result in a small fine. Where culpability has been established and the violation results in a criminal complaint, enforcement can result in up to 10 years in jail.
Best Practices for HIPAA Compliance
If your organization is required to follow HIPAA, you’ll need to establish policies and audit protocols that ensure you stay current with any changes to the law. You’ll also need to adhere to the current rules, and have the ability to prove your organization is compliant. Audits are common and help ensure that patient data remains secure and confidential.
Best practices for HIPAA compliance:
- Document all stages of compliance and have policies in place for data management, training, and security.
- Use strong passwords and encrypt access information.
- Use an SSL for all web-based access of patient data.
- Create protocols for handling breaches and data leaks.
- Partner with technology partners that have a business associate agreement. This makes audits much simpler and prevents having to perform secondary audits.
The HIPAA framework gives patients the protection they need, while helping to systemize the process in which data is handled. Patients are given rights. Organizations are given rules. It’s up to each organization to ensure they protect their patients and themselves. Your technology partners can help you set policies and protocols that help you keep compliant.
If you have questions about HIPPA and how your data center provider can help give us a call.