A guide to HIPAA IT certification: 5 things you need to understand
In 1996, the federal government introduced the health insurance portability and accountability act (HIPAA) to protect employees and their families from losing their health coverage when changing jobs. However, the legislation also has a secondary purpose, that being to protect the privacy and security of protected health information (PHI).
While medical records should be kept private for obvious reasons, that isn’t the only reason why the law is important. The healthcare sector is a top target for cybercriminals, who usually view it as an easy target. Moreover, medical records contain a wealth of valuable information to the point they’re worth much more on the dark web markets than stolen bank cards.
What is a HIPAA IT certification?
Because HIPAA compliance is an ongoing process that needs to continuously adapt to new technology and demands, there is no such thing as a formal HIPAA IT certification. However, it is possible to obtain proof of your efforts to achieve compliance by partnering with a reputable third-party consultancy firm.
HIPAA requires comprehensive documentation, which itself serves as a certification in some respects. By documenting your compliance efforts, including your training programs and an up to date overview of your security and privacy controls, you can prove to HHS auditors, as well as your clients and patients, that you take compliance seriously.
#1. What sort of information is protected by HIPAA?
HIPAA concerns all protected health information (PHI), including the systems used to store and transmit it and the administrative policies intended to regulate it. PHI covers individually identifiable information relating to the health status of an individual. This includes things like diagnoses, medical test results, prescription information, and treatment information. HIPAA is relevant to both physical and electronic records, though the latter is often referred to as ePHI.
Anonymous health information is neither covered nor regulated, so removing any personally identifiable information from records allows for disclosure without restrictions. Also, HIPAA does not relate to educational or employment records, though these may be protected by other regulations.
#2. Are you a covered entity or a business associate?
When embarking on your HIPAA compliance journey, the most important thing to understand is the difference between covered entities and business associates. Both must be compliant, but the way they are administered differs. For example, the HIPAA privacy rules only apply to covered entities, though the security rules apply to everyone.
Covered entities include healthcare providers, health insurance companies, clearinghouses, and government programs that pay for healthcare. Business associates, on the other hand, are a far broader group, since they include any third party that carries out activities on behalf of a covered entity, such as IT service providers and accounting firms.
#3. Do you need a third-party HIPAA IT certification?
Contrary to popular belief, there is no such thing as a formal HIPAA certification. Compliance is meant to be a continuous process incorporating employee awareness training, as well as many other ongoing activities. Healthcare systems change and evolve all the time, as do the processes used to govern them.
Despite the lack of formal accreditations, passing a third-party HIPAA audit does demonstrate your efforts to achieve compliance. This ensures that covered entities and business associates don’t leave themselves exposed to litigation. For business associates, proof of compliance will also open up the path to more lucrative contracts.
#4. What are the rules for disclosing PHI?
Protecting patient privacy is one of the core tenets of HIPAA. The Privacy Rule stipulates that no covered entity may disclose protected health information without first meeting requirements enshrined in law. Under ordinary circumstances, PHI may only be disclosed to the person that it pertains to.
There are several exceptions, such as asking the patient for permission to disclose their PHI or failure to disclose the information is deemed detrimental to public or individual health. There are many of these public interest- and benefit-related exceptions, including those concerning legal proceedings and law enforcement.
#5. What are the minimum security requirements?
The HIPAA Security Rule applies to both covered entities and business associates, specifically to electronic PHI as it is stored and transmitted. The general rules cover the confidentiality, integrity, and availability of PHI, the identification of reasonably anticipated threats against it, and the responsibility to mitigate these threats.
The Security Rule is complex, but technically vague, so it’s generally better to use a security program based on the principles of an industry-standard framework like the one provided by the NIST. This will enable you to meet the administrative, technical, and physical safeguards of the Security Rule. However, the entire process should start with a comprehensive risk analysis.
Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.