There are very few things that are more private than a person’s private medical information. Apart from being extremely personal and often sensitive, this information can be used by criminals in many different ways. That is the main reason why HIPPA compliance was put in place. By setting a standard for protecting sensitive patient information, HIPPA compliance ensures that the people’s right to privacy is not violated in any way.
The Health Insurance Portability and Accountability Act includes any organization, entity or individual that provides medical treatment or healthcare of any kind. Furthermore, it also includes covered entities, business associates and anyone with access to any kind of private patient information. Definitely an act with great reach, HIPPA is even mandatory for subcontractors and business associates of business associates. The act also extends to hosting providers that handle patient’s data. It does this by requiring certain administrative, physical and technical safeguards.
What Is HIPPA Compliance?
HIPPA is an acronym for Health Insurance Portability and Accountability Act. Enacted in 1996, HIPPA is a federal law that aims to protect medical and other health-related records. Any piece of information is considered personal as long as it subscribes to the following criteria:
• It identifies a particular individual.
• One can keep or exchange it electronically or also as a hard copy.
This protection is considered to be active for as long as the information is in the hands of the entity or associate. Although the act does put an emphasis on electronic data, its protections do apply to individually identifiable information in any form.
Who Needs to Become Approved for HIPPA Compliance?
According to HIPAA, any organization that handles protected health information (PHI) as either a covered entity or a business associate needs to become HIPAA compliant. The term covered entity describes health plans, health care clearinghouses and health care providers. Widely speaking, the term describes any type of information on a particular individual that the health care services created or modified. Moreover, among many others, the term includes HMOs, Medicare, Medicaid, physicians, dentists, and surgeons.
On the other hand, a business associate is a vendor or subcontractor with access to protected health information. Moreover, the term includes data transmission providers, data processing firms, data storage or document shredding companies, medical equipment companies and medical transcription services. Moreover, it includes conversations between patients and health care providers, billing information and health-related medical insurance information.
How to Implement HIPPA Compliance in Your Organization
As mentioned above, any covered entity or business associate handling PHI needs to become HIPAA compliant. This is done by protecting the privacy and security of all sensitive health information according to certain standards. Basically, HIPPA compliance consists of four basic rules that one need to implement.
1. HIPAA Privacy Rule
It applies to health plans, health care clearinghouses and health care providers. It establishes national standards to protect the medical records of individuals.
2. HIPAA Security Rule
While the privacy rule deals with standards, the security rule establishes administrative, physical and technical safeguards. They aim to protect the confidentiality, integrity, and security of electronic protected health information.
3. HIPAA Enforcement Rule
This rule contains provisions related to compliance and investigations. Furthermore, it also provides details regarding the imposition of penalties and procedures for hearings.
4. HIPAA Breach Notification Rule
In the case of a breach, this rule requires covered entities to notify affected individuals and the U.S. Department of Health and Human Services. In some cases, it also requires contacting the media.
Once you take care of those four rules, any covered entity or business associate qualifies and you can consider it as HIPAA compliant.
Ways to Become HIPAA Compliant
The only way to become HIPAA compliant is to implement certain required administrative, physical and technical safeguards dictated as part of the HIPAA security rule. Additionally to these specifications, there are others that go by the name of “addressable.” This guide will discuss only the required specifications.
A. Technical Safeguards
1. Unique User Identification: Assigning a unique name and/or number to each patient.
2. Emergency Access Procedure: Implementing procedures for getting a patient’s ePHI during an emergency.
B. Physical Safeguards
3. Workstation Use: Applying policies and procedures that specify the proper actions to be taken and the manner in which that is done. Additionally, the policy should specify the physical attributes of a workstation that can access ePHI.
4. Workstation Security: Effecting physical safeguards for these workstations in order to restrict access to authorized users.
5. Disposal: Implementing procedures that address the final disposition of both the ePHI and the hardware that contains it.
6. Media Re-Use: Putting in place procedures for removal of ePHI from digital media before it’s made available for re-use.
C. Administrative Safeguards
7. Risk Analysis: Running a risk analysis procedure in order to determine where PHI is being used and stored.
8. Risk Management: Implementing measures to reduce risk.
9. Sanction Policy: Establishing sanctions for non-compliant employees.
10. Information Systems Activity Reviews: Performing a regular review of system activity and logs.
11. Officers: Designating HIPAA security and privacy officers
12. Multiple Organizations: Guaranteeing that PHI isn’t available to parent or partner organizations or subcontractors without access authorization.
13. Response and Reporting: Offering proper and opportune response to security incidents.
14. Contingency Plans: Ensure availability to backups of ePHI.
15. Emergency Mode: While operating in emergency mode, establishing procedures that enable the continuation of business processes for protection of ePHI.
16. Evaluations: Performing periodic evaluations to check if any HIPAA compliance procedures need adjusting.
Even though becoming HIPAA compliant can seem extremely complicated, all the requirements are there to ensure that the policy respects everyone’s privacy. Because it helps avoid many problems, this is not only beneficial to patients but also health care providers. Finally, if you had any interesting experiences with HIPPA compliance, please share your knowledge with us. You can place a comment it in the comments!