With the current COVID-19 pandemic affecting the entire world, medical health and its related services take precedence over all other industries. In light of this, we have covered a burning topic – HIPAA – Health Insurance Portability and Accountability Act.
HIPAA is an act dealing with medical related services in the US. To simply state – it is a law applicable to organizations that serve US individuals and process PHI (Personal Health Information). Its requirements are designed to provide privacy and security standards to protect patients’ medical records and other health information that may be shared by them to doctors, hospitals, insurance companies etc.; thereby protecting their identities and interests.
HIPAA Compliance is an essential tool that service providers use to ensure that medical data is secured, and that services related to medical billing, claims process, subcontracts on clinical reports, tests analysis, subscriptions, newsletter notifications etc. fall under the purview of this law.
what is hipaa?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by the US Congress in 1996. HIPAA does the following:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
- Reduces health care fraud and abuse
- Mandates industry-wide standards for health care information on electronic billing and other processes
- Requires the protection and confidential handling of Protected Health Information (PHI)
There are 5 major Titles under HIPAA, where Title 2 defines the requirements of being compliant to HIPAA. Title 2 is applicable to any service provider dealing with ePHI either directly or indirectly.
ISO 9001 Certification
ISO 27001 Certification
ISO 20000 Certification
ISO 22301 Certification
ISO 21001 Certification
ISO 41001 Certification
ISO 50001 Certification
ISO 29001 Certification
ISO 14001 Certification
ISO 45001 Certification
ISO 22000 Certification
FSSC 22000 Certification
ISO 17025 Certification
ISO 13485 Certification
CE Mark Certification
How is HIPAA Classified? Who should be HIPAA Compliant?
HIPAA is classified for different activities, as per Title 2, HIPAA under Administrative Simplification, organizations are classified as:
Covered Entites — Business Associates — Subcontractors
The HIPAA Administrative Simplification Rules establish national standards for electronic transactions and code sets to maintain the privacy and security of Protected Health Information (PHI). As such, organizations who fall under these classifications need to comply with the requirements of HIPAA laws; to the level prescribed by the law.
Covered Entities under HIPAA are individuals or entities that transmit Protected Health Information for transactions for which the Department of Health and Human Services has adopted standards.
Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization.
Covered entities under HIPAA include Health Plans, Healthcare Providers, and Healthcare Clearinghouses.
The category includes providers such as:
Hospitals, clinics, doctors, psychologists, dentists, chiropractors, nursing homes, pharmacies, home health agencies, and other providers of healthcare that transmit health information electronically.
The category includes providers such as:
Health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.
The category includes organizations that process non-standard health information and convert data into types that conform to the standards outlined in the HIPAA Administrative Simplification Regulations (i.e. standard electronic format or data content, or vice versa).
A Business Associate can be an individual or a company that provides services to a HIPAA-Covered Entity, which requires them to have access to, store, use, or transmit Protected Health Information – third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.
Prior to a Business Associate being given PHI, or access to systems containing PHI, they must enter into a HIPAA-compliant Business Associate Agreement with the Covered Entity. A business associate agreement is a contract in which the responsibilities of the Business Associate with respect to HIPAA and PHI are described.
Subcontractors can be an individual or a company that provides service to HIPAA-Business Associates which are limited to process data as per agreements with these Business Associates.
The category includes entities that perform certain functions or activities that involve the use or disclosure of Protected Health Information on behalf of, or provides services to Covered Entities:
Still confused! Under what category might you fall? Contact us and our consultants will guide you.
What are the Requirements of HIPAA Compliance?
Despite the intentionally vague HIPAA requirements, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be chronicled in case a breach of PHI occurs and an investigation takes place to establish how the breach happened.
- Privacy Rule
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. Since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of Covered Entities. The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information.
Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
- Security Rule
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data.
There are three parts to the HIPAA Security Rule:
– Physical Safeguard
Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA-Covered Entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access.
– Administrative Safeguard
Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together, ensuring that there is a governance in place in organizations dealing with ePHI. These safeguards help ensure that people are aware of the risks and outcomes related to breach of HIPAA requirements if the prescribed set of rules and guidelines implemented are not followed.
– Technical Safeguard
Technical Safeguards concern the technology that is used to protect ePHI and provide access to this data. An example of this stipulation is that ePHI – whether at rest or in transit – must be encrypted, so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.
- Breach Notification Rule
The HIPAA Breach Notification Rule requires Covered Entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.
HIPAA Violation Penalties
HIPAA settlements are hard to keep track of–that’s why we’ve created this simple directory of large-scale HIPAA fines listed by year. All information on HIPAA violation cases is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
To comply with HIPAA, consult with our team. We guide, train, implement, verify and certify organizations dealing with and having exposure of any level to ePHI. Contact us!