Get myCPE Unlimited Access @ $299 $199/Annually
HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to keep patient data confidential and secure. If you are an organization that handles protected health information (PHI), a HIPAA compliance report will demonstrate you have the required safeguards in place to protect patient information.
There are three major components to HIPAA rules and regulations – the Security Rule, Privacy Rule, and Breach Notification Rule. This article will give background information on these three components and provide a checklist you can use when seeking HIPAA compliance.
HIPAA compliance is a process for covered entities and business associates to protect and secure PHI in a way that complies with the established Privacy, Security, and Breach Notification Rules. Let’s review what information classifies as protected healthcare information and the professions bound by HIPAA regulations.
PHI is protected healthcare information. This includes items such as paper documents, X-Rays, and prescription information. Electronically protected health information (ePHI) is PHI that includes digital medical records, electronic MRI scans, names, addresses, and dates (birthdays, hospital admission, discharge dates, etc.) stored or transmitted electronically.
Covered entities are individuals and organizations working in healthcare who have access to PHI. These include doctors, surgeons, nurses, psychologists, dentists, chiropractors, hospitals, clinics, nursing homes, pharmacies, health plans, health insurance companies, HMOs, and company health plans. They frequently work with sensitive health information and are therefore bound by HIPAA regulations.
Business associates are individuals and entities that perform activities involving the use or disclosure of protected health information on behalf of or provide services to, a covered entity. This could include but is not limited to, lawyers, accountants, administrators, and IT professionals.
1: Technical Safeguards refers to the following:
2: Physical Safeguards refers to the following:
3: Administrative Safeguards refers to the following:
The Privacy Rule addresses the use and disclosure of PHI by covered entities and outlines an individual’s privacy rights so they can understand their health information and control how it’s used. This rule covers all personal identifiers handled by a covered entity or its business associates in any media (electronic, paper, or spoken word).
Additionally, the Privacy Rule limits disclosure of PHI to the minimum necessary for the stated purpose.
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach, or the impermissible use or disclosure of PHI. Patients and the Department of Health and Human Services must be notified of breaches, as well as the media if the breach affects more than 500 patients. Notification must be reasonably prompt and no later than 60 days following the discovery of the breach.
Breaches affecting fewer than 500 individuals must be reported to the Office for Civil Rights (OCR) web portal on an annual basis. Breach notifications should include:
Covered entities and business associates can use the following as a guide to help establish or remain in HIPAA compliance.
The fines for HIPAA violations are imposed per violation category and can be severe, reaching up to $1,500,000 per violation category, per calendar year. Authorities can even file criminal charges in the case of willful neglect.
To ensure your organization remains in good standing, it’s often best to have professional assistance. With over 850 healthcare assessments completed, A-LIGN helps organizations achieve HIPAA compliance from readiness to report. Click to explore our HIPAA services.
HITRUST i1 is a gamechanger for the compliance industry — it fills a crucial market gap for businesses that want a highly reliable security certification for moderate risk assurance. Because security is an ongoing process of continuous improvement, the fact that this assessment is frequently updated to maintain continuous relevance is highly appealing. If you’re seeking guidance on HITRUST, A-LIGN is here for you. We have helped hundreds of clients achieve HITRUST certification and can make your HITRUST journey as smooth and efficient as possible.
