A Layperson’s Guide to HIPAA Compliance
The acronym HIPAA stands for the Health Insurance Portability and Accountability Act, and it was signed into law in 1996 to protect sensitive patient information in response to the growing use of electronic records.Although there are actually multiple sections to the act, references to HIPAA compliance are generally focused on Title II, which outlines procedures for electronic data management of health records and information.
HIPAA Title II Requirements
Title II lists several rules and procedures that must be followed in order to be compliant.These rules include:
- The requirement that all healthcare entities have and use a specific 10-digit identification number, called a national provider number, or NPI.
- Creating the standardization of systems for processing insurance claims electronically.
- The HIPAA Privacy Rule, which establishes national standards for the handling of private health records.This rule is officially known as Standards for Privacy of Individually Identifiable Health Information.
- The HIPAA Security Rule, or officially The Security Standards for the Protection of Electronic Protected Health Information, which outlines the standards for data security.
- The HIPAA Enforcement Rule, which determines how HIPAA compliance violations are investigated and how the rules are enforced.
The overall intent of all of these rules is to make sure that patient health information is handled in a secure way.The HIPAA Privacy Rule and the Security Rule are the two most important areas of compliance for healthcare entities, outlining how the entities remain compliant.
HIPAA Compliance- Privacy and Security Rules
The safeguards outlined in Title II, mainly in the Privacy and Security Rules, can be broken down into a list of procedures that must be followed by healthcare entities in order to be considered compliant.These apply to all companies that host healthcare data.
The Privacy Rule outlines how patient information can be shared as required with healthcare organizations for insurance and billing purposes.It governs how all HIPAA-covered entities should handle patient information and how and when they can share it. This section of Title II also gives patients the right to access their own medical records.
Under the Privacy Rule, doctors must disclose to patients all information regarding where and how their private data has been shared.The rules apply to all healthcare entities, including those contracted to perform services.
The Security Rule covers the ways in which patient data must be securely handled in order to restrict access to records.It can be broken down into two main parts: physical rules and technical rules.
The physical security rules govern the actual physical access to health care records.In order to be HIPAA compliant, healthcare entities must restrict access to facilities where medical records are kept.Policies and procedures must be in place limiting access to workstations and handling any electronic media.
The technical security rules focus on the prevention of access to data electronically.This includes the use of specific user IDs, encryption of data, log-in and log-off procedures, and emergency procedures .Technical requirements also include both the secure backing up of all data and data recovery measures. Finally, there are also technical requirements for the transmission of data over secure networks.
HIPAA Violations
A healthcare entity that is not compliant with all of the HIPAA rules can face serious consequences.A 2009 addition to the HIPAA rules increased the penalties for violations; fines can reach up to $1.5 million.Violations can also result in criminal and civil proceedings against the organization, as well as fees and fines stemming from the conducting of a HIPAA compliance audit of the company.
In the event of a data breach, healthcare organizations are required by law to notify everyone whose personal information was involved.The Office for Civil Rights (OCR) conducts audits in order to determine if there has been a violation.
HIPAA compliance is one of the most vital parts of running any healthcare organization or any healthcare-related company that falls under the jurisdiction of the law.Patient privacy has become an even more serious matter as the use of electronic record keeping increased, and failure to be in compliance can be a costly mistake.