The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR)
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI
HIPAA Compliant ?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
- Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
- Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity.
HIPPA Rules ?
HIPAA regulation is made up of a number of different HIPAA Rules. The HIPAA Rules were all passed in the 20+ years that have come and gone since HIPAA was first enacted in 1996.
The HIPAA Rules that you should be aware of include:
- HIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates.
- HIPAA Security Rule: The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI.
- HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule lays out different requirements for breach reporting depending on the scope and size.
- HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs).
- Title I: HIPAA Health Insurance Reform.
- Title II: HIPAA Administrative Simplification.
- Title III: HIPAA Tax-Related Health Provisions.
- Title IV: Application and Enforcement of Group Health Plan Requirements.
- Title V: Revenue Offsets.
HIPAA Compliant Requirement ?
- Self Audits
- Remediation plans
- Policy and Procedures
- Business Associate management
- Incident management
Elements of HIPAA Compliance
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI. A HIPAA violation differs from a data breach. Not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.
- Use and disclosure
- Improper security safeguards
- The Minimum Necessary Rule
- Access controls
- Notice of Privacy Practices