What is HIPAA? What is HIPAA compliance?
In the United States, every covered entity and business associate that deals with Protected Health Information (PHI) must adhere to the guidelines outlined in the Health Information Portability and Accountability Act (HIPAA). Examples of covered entities include doctors, pharmacies, health insurance companies, and nursing homes. Business associates are defined as persons or groups that use or disclose PHI on behalf of covered entities, and include CPAs, attorneys, IT providers, billing companies and laboratories.
Further, the HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) through appropriate safeguards. This requirement means that healthcare organizations must enact administrative, physical, and technical safeguards to minimize the risks associated with storing and transmitting patient data electronically.
What are the penalties for non-compliance?
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Security rules, which became enforcible on April 20, 2005. Entities and business associates who fail to comply with HIPPA rules are subject to fines that can easily surpass $1 million. The OCR investigates complaints that are filed by third-parties, and conducts its own compliance audits and reviews.
How does my healthcare organization comply with the HIPAA Security Rule?
As per the HHS website, all covered entities must perform the following steps to comply with the HIPAA Security Rule:
Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups.
Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.