You may have seen signs about “HIPAA Privacy Rules” at a doctor’s office or in line at the pharmacy. Some of these signs direct you to stand a certain number of feet away from other patients while they speak with nurses, pharmacists or administrators. Other signs may inform you that only you can access your records. What is HIPAA, and how can you ensure HIPAA compliance?
HIPAA Is a Federal Law
“HIPAA” stands for the Health Insurance Portability and Accountability Act of 1996. In this act, Congress outlined a number of rules for securing and storing patient information. The act covers what is known as “personal health information” (PHI). According to the company Truevault, a provider of secure health information systems, “PHI is personally identifiable information in medical records, including conversations between doctors and nurses about treatment. PHI also includes billing information and any patient-identifiable information in a health insurance company’s computer system.”
Given the broad category of information to protect, HIPAA compliance is mandatory across a range of technologies and systems. If any mobile application, for example, transfers, collects or stores users’ PHI, then it must meet certain federal guidelines under HIPAA.
HIPAA compliance involves three types of rules: the Privacy Rule, the Security Rule and the Breach Notification Rule. The Privacy Rule covers the collection and storage of PHI from patients, including “the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual” (Centers for Medicare and Medicaid Services).
The Security Rule covers the same type of information, but it also outlines “safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of ePHI.” In other words, organizations must take steps to ensure the security of the systems that store this data.
Finally, the Breach Notification Rule requires organizations to inform individuals when their information has been compromised. Companies that attempt to sweep breaches under the rug face serious monetary penalties for lack of HIPAA compliance.
Who Must Comply?
According to the U.S. Centers for Medicare and Medicaid, entities involved in the transmission of PHI are all required to follow HIPAA compliance rules. These include “Covered Health Care Providers, Health Plans, and Health Care Clearinghouses.” The Act was also expanded to cover business associates of those named above: “a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI.” As you can imagine, the group of institutions that must comply is broad. Consultants, accreditation organizations, and billing and financial services are all covered under these rules.
What Do You Do?
According to OnlineTech, another company specializing in HIPAA compliance for electronic information, HIPAA outlines four types of safeguards for PHI: physical safeguards, technical safeguards, technical policies and network security. Depending upon your position in a healthcare organization, one or more of these safeguards may apply to you.
Physical safeguards “include limited facility access and control, with authorized access in place.” This may translate to regulations regarding who can see what. OnlineTech further explains that technical safeguards “require access control to allow only the authorized to access electronic protected health data.” Technical policies “cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed,” and network security HIPAA compliance “protect[s] against unauthorized public access of ePHI.”
For healthcare IT professionals, all aspects of HIPAA compliance are important. Many of these professionals have a specialized degree in this area, such as an MBA in Healthcare Information Systems, which covers HIPAA compliance thoroughly. It is up to these healthcare IT professionals to manage patient data securely and safely.
Have a question or concern about this article? Please contact us.