What Is HIPAA Certification? Frequently Asked Questions

The Health Insurance Portability and Accountability Act (HIPAA) is a set of security standards designed to safeguard protected health information (PHI) from being disclosed without the patient's knowledge or authorization. But since its inception in 1996, HIPAA seems to have led to more questions than answers. When HIPAA released its Privacy and Security Rules in 1999, the US Department of Health and Human Services (HHS) was flooded with questions and comments about it. There was so much misunderstanding and confusion over the rules' complexity and how they would operate.

Over the years, the HHS has provided more information about the privacy and security rules, however, questions about the requirements and regulations still remain. This article will offer some insight into the most frequently asked questions about HIPAA certification.

1. What is HIPAA certification?

A HIPAA certification means a covered entity or business associate understands and complies with the HIPAA privacy and security rules. These healthcare providers or organizations have undergone and passed a third-party HIPAA assessment and have implemented security policies and measures to ensure the safety of PHI.

2. What is PHI?

PHI is data that contains a patient's past, present, and future health condition or any private information that can be used to identify or locate them such as, birth date, address, and phone number.

3. What is the Privacy Rule?

The HIPAA Privacy Rule was created to protect a patient's medical records and other personal health information. It applies to healthcare providers, health plans, and healthcare clearinghouses that perform healthcare transactions electronically. The Privacy Rule stipulates that covered entities and business associates must ensure the safety of patient information by implementing safeguards and policies on how PHI is used and disclosed.

4. What is the Security Rule?

The HIPAA Security Rule is a set of national security standards designed to safeguard electronic protected health information (ePHI) that is created, transmitted, received, and stored by a healthcare provider. All covered entities must implement administrative, technical, and physical safeguards to ensure the security and confidentiality of ePHI.

5. Who must comply with HIPAA regulations?

All covered entities and business associates that process, store, transmit, and receive patient information must comply with HIPAA regulations.

6. What are covered entities?

Covered entities are individuals or companies that transmit PHI for healthcare status, payment and remittance, healthcare claims, enrollment and disenrollment, coordination of benefits, eligibility checks, referral certification and authorization, and fund transfers. HIPAA categorizes covered entities into three groups:

• Healthcare providers, including clinics, doctors, dentists, pharmacies, and nursing homes
• Healthcare plans such as health insurance companies, HMOs, and company health plans
• Healthcare clearinghouses like companies or individuals that process nonstandard health information into standard format, and vice versa

7. What are business associates?

Business associates refer to an entity or individual that performs tasks involving the use or disclosure of PHI on behalf of a covered entity. Some examples include:

• A medical transcriptionist
• An IT consultant
• A billing or coding company
• A law office that requires access to patient information
• An accounting firm
• A medical device manufacturer

8. What are the penalties for violating HIPAA regulations?

Healthcare or third-party providers that violate HIPAA regulations can be fined up to $1,754,698 or imprisoned for up to 10 years, depending on the severity of the violation.

9. What is the Health Information Trust Alliance (HITRUST) and how is it related to HIPAA?

HITRUST is an organization that helps companies achieve HIPAA compliance. It created and manages the Common Security Framework, which harmonizes HIPAA standards with other standards such as those developed and implemented by the National Institute of Standards and Technology, the Information Commissioner's Office, and the Payment Card Industry Security Standards Council.

10. How can my business become HIPAA-certified?

Healthcare and third-party providers looking to get HIPAA certified need to perform a risk assessment, train their employees, and implement the policies and procedures stated in the privacy and security rules.

11. What is a risk assessment?

A risk assessment is a process that identifies an organization's administrative, technical, and physical risks that need to be addressed to keep patient information safe.

12. What is a business associate agreement (BAA)?

A BAA is a written contract that a business associate needs to sign before working with a covered entity to ensure the safety and security of PHI. It requires business associates to implement safeguards to prohibit the unauthorized disclosure and use of patient information. A healthcare institution that enters a partnership with a business associate without signing a BAA is subject to the penalties stated under HIPAA regulations.

Achieving HIPAA certification can be daunting, especially if you don't know where to start. This is why you need to partner with a trusted managed IT services provider like Charles IT. Our IT specialist will review your infrastructure and pinpoint potential weaknesses that can put PHI at risk. Call us now to learn more.