Privacy is a fundamental human right, especially when it comes to sensitive information, such as patient health records. As digital transformation continues to drive change throughout the healthcare sector, there’s a clearer and greater need than ever for organizations to pay close attention to information security, privacy, and confidentiality. That’s where the health insurance portability and accountability act (HIPAA) comes in.
Here are the main things you need to know about the HIPAA compliance certification:
What is a HIPAA compliance certification?
Although there is no officially mandated HIPAA certification process or formal accreditation, it would certainly make things easier for organizations if there were. In fact, HIPAA is quite vague when it comes to the implementation of privacy, security, and breach notification controls. This is partly due to the fact that the legislation has been in place since 1996, when the information technology landscape looked very different to how it does today.
That said, there are ways to demonstrate your efforts to comply with the standards mandated by HIPAA. Even though there are no formal certifications, you can and should consider getting a third-party audit to ensure that your privacy and security practices match up with the HIPAA requirements. By informally becoming HIPAA-certified in this manner, you can validate your efforts to earn the trust of your clients or patients.
#1. What is protected health information?
Protected health information (PHI) refers to any health-related information that can be used to identify the individual it pertains to. HIPAA defines 18 identifiers, including names and contact information and social security numbers. If health information includes one or more of these identifiers, then it must be treated to the highest possible standards of privacy and security. It can only cease to be PHI if all these identifiers are removed, thus anonymizing it. Anonymized health information isn’t subject to the HIPAA rules.
#2. Who needs a HIPAA IT certification?
Every organization that handles PHI needs to be compliant, even if there is no formal HIPPA IT certification. The rules apply to two groups – covered entities and business associates. Covered entities include healthcare providers, health insurance providers, or clearinghouses. Business associates are much broader in scope, since they include any party which handles PHI on behalf of a covered entity, such as IT service providers, accounting firms, attorneys, or consultancy firms.
#3. Do you need a training program?
Most threats to information security are of a human nature, such as social engineering scams that use digital communications to dupe victims into divulging sensitive information. A security program is only as effective as people are at following the rules, hence the need for a training program. Again, although there is no standard HIPAA training program, covered entities and business associates must make every reasonable effort to train their teams in patient privacy and information security.
#4. Can you be subject to a mandatory audit?
Most organizations undergo a third-party audit to ensure they are HIPAA-compliant. However, if there is any suspicion of a breach of compliance, the organization in question may be subject to a mandatory HHS audit which could, in the case of failure, result in substantial fines. This is why it is always better to take a proactive stance, and work with a third-party compliance auditor and consultant beforehand. While this won’t absolve you of your legal obligations, it does help ensure you’ve addressed the many complexities to the legislation.
#5. What are the breach notification rules?
If any PHI is compromised whilst in your care, then the breach notification rule legally obliges you to inform the relevant parties – namely the patients whose information may have been compromised. For breaches involving the identities of more than 500 individuals, you will also need to inform the HHS, and a prominent local media outlet serving your state or jurisdiction. These notifications must be made ‘without unreasonable delay’ or within 60 calendar days of the breach being detected.
#6. How long are you allowed to keep PHI?
Covered entities must retain PHI for at least six years after their date of creation or their last effective day – whichever is longer. They must also retain all documented assessments and activities pertaining to their compliance efforts, an archive of any breach notifications, and an up-to-date list of all parties responsible for overseeing and maintaining compliance. Business associates
#7. What are the technical requirements?
HIPAA defines the necessary technical safeguards across several key areas – access control, audit controls, information integrity, person or entity authentication and transmission security. On top of these are a wide range of physical and organizational safeguards you need to take, as well as policies and procedures regarding the correct usage of PHI. Most importantly, PHI should always be encrypted, either at rest or in transit, and all systems that handle it should be protected by multiple layers of protection, such as multifactor authentication.
Charles IT helps businesses achieve and maintain compliance with HIPAA regulations to drive digital transformation without adding unnecessary risk. Get in touch today to learn more.
