The Health Insurance Portability and Accountability Act (HIPAA) is a set of security standards designed to safeguard protected health information (PHI) from being disclosed without the patient's knowledge or authorization. But since its inception in 1996, HIPAA seems to have led to more questions than answers. When HIPAA released its Privacy and Security Rules in 1999, the US Department of Health and Human Services (HHS) was flooded with questions and comments about it. There was so much misunderstanding and confusion over the rules' complexity and how they would operate.
Over the years, the HHS has provided more information about the privacy and security rules, however, questions about the requirements and regulations still remain. This article will offer some insight into the most frequently asked questions about HIPAA certification.
A HIPAA certification means a covered entity or business associate understands and complies with the HIPAA privacy and security rules. These healthcare providers or organizations have undergone and passed a third-party HIPAA assessment and have implemented security policies and measures to ensure the safety of PHI.
PHI is data that contains a patient's past, present, and future health condition or any private information that can be used to identify or locate them such as, birth date, address, and phone number.
The HIPAA Privacy Rule was created to protect a patient's medical records and other personal health information. It applies to healthcare providers, health plans, and healthcare clearinghouses that perform healthcare transactions electronically. The Privacy Rule stipulates that covered entities and business associates must ensure the safety of patient information by implementing safeguards and policies on how PHI is used and disclosed.
The HIPAA Security Rule is a set of national security standards designed to safeguard electronic protected health information (ePHI) that is created, transmitted, received, and stored by a healthcare provider. All covered entities must implement administrative, technical, and physical safeguards to ensure the security and confidentiality of ePHI.
All covered entities and business associates that process, store, transmit, and receive patient information must comply with HIPAA regulations.
Covered entities are individuals or companies that transmit PHI for healthcare status, payment and remittance, healthcare claims, enrollment and disenrollment, coordination of benefits, eligibility checks, referral certification and authorization, and fund transfers. HIPAA categorizes covered entities into three groups:
Business associates refer to an entity or individual that performs tasks involving the use or disclosure of PHI on behalf of a covered entity. Some examples include:
Healthcare or third-party providers that violate HIPAA regulations can be fined up to $1,754,698 or imprisoned for up to 10 years, depending on the severity of the violation.
HITRUST is an organization that helps companies achieve HIPAA compliance. It created and manages the Common Security Framework, which harmonizes HIPAA standards with other standards such as those developed and implemented by the National Institute of Standards and Technology, the Information Commissioner's Office, and the Payment Card Industry Security Standards Council.
Healthcare and third-party providers looking to get HIPAA certified need to perform a risk assessment, train their employees, and implement the policies and procedures stated in the privacy and security rules.
A risk assessment is a process that identifies an organization's administrative, technical, and physical risks that need to be addressed to keep patient information safe.
A BAA is a written contract that a business associate needs to sign before working with a covered entity to ensure the safety and security of PHI. It requires business associates to implement safeguards to prohibit the unauthorized disclosure and use of patient information. A healthcare institution that enters a partnership with a business associate without signing a BAA is subject to the penalties stated under HIPAA regulations.
Achieving HIPAA certification can be daunting, especially if you don't know where to start. This is why you need to partner with a trusted managed IT services provider like Charles IT. Our IT specialist will review your infrastructure and pinpoint potential weaknesses that can put PHI at risk. Call us now to learn more.