From the DATASHIELD Resource Library:
Learn the basics you need to know with HIPAA including the Privacy, Security and Breach Notification Rules.
Nov 5, 2019
The Health Insurance Portability and Accountability Act (HIPAA) is a well-known piece of US legislation that is designed to provide organizations in health care with data privacy and security provisions for medical information. The original regulations were adopted in 1996 but since then they were amended with new legislation via the Privacy Rule of 2000, the Security Rule of 2003, the Health Information Technology for Economic and Clinical Health Act (HITECH) and the American Recovery and Reinvestment Act introduced in 2009 (ARRA).
What it means for hospital administrators, practice managers, general practitioners and anyone across the healthcare industry is that they are to follow and comply with legislation specifically concerning the protection of patient healthcare data and payment information.
This article is designed to be a brief intro to HIPAA and covers the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Notification Rule.
The HIPAA Privacy Rule stipulates how to use and disclose Protected Health Information (PHI). If you are an individual or organization that performs healthcare transactions electronically, then you are subject to regulation by the HIPAA Privacy Rule.
Those subjects, called “covered entities”, include a broad variety of healthcare providers, health plans and healthcare clearinghouses. Such entities must be prepared to notify individuals about how their PHI will be used in any given scenario and they must keep records of PHI disclosures while documenting their privacy policies and procedures.
The Privacy Rule also introduces requirements for the covered entities to provide a copy of a patient’s healthcare data upon a written request and also make changes to PHI records they hold. In effect, the HIPAA Privacy Rule covers any type of a PHI such as digital and paper files, x-rays, physician appointment schedules, medical bills, dictated notes, conversations and information on patient portals.
The HIPAA Security Rule introduces national standards covering the protection of individuals’ electronic personal health information that covered entities create, receive, use or maintain. In fact, the HIPAA Security Rule is aimed at protecting PHI stored or used on mobile devices in the workplace having in mind multiple scenarios in which the device is lost, stolen or hacked and thus ePHI is disclosed to unauthorized third parties.
The risk of a medical identity theft is growing as digital medical apparatuses and mobile devices are being widely adopted across the healthcare industry. Hence, the HIPAA Security Rule, which is intended to deal with the harsh consequences of stealing one’s health records that could also contain other personal information as well as banking details and credentials. The “hacking” scenario is a growing concern for legislators and healthcare organizations alike and that is why lawmakers adopted also the Breach Notification Rule.
Data breaches occur even at organizations that follow the best cyber-security practices and who store all patients’ data in encrypted format. Nonetheless, should a data breach happen that could result in disclosure of PHI data or patient’s banking information, then a covered entity should inform all affected patients as well as notify the Secretary of the Department of Health and Human Services.
The regulations covering data breaches in healthcare apply also to a business associate of a covered entity that finds a breach has occurred within their systems for storing and processing protected health information.
This makes it really challenging for a larger healthcare organization to cope with the challenges of the digital age, as it has to deal with protecting health information at every step and across its entire supply chain of sub-contractors and partnering entities.
Mastering the HIPAA requirements is a real challenge for small and large healthcare organizations alike. Selected large organizations deal with these complex regulations internally but it is mostly impossible for smaller entities and individual healthcare practitioners.
The only working solution for such subjects of the HIPAA legislation is to adopt a mix of standalone and SaaS solutions where the software vendors take care of storing and protecting the private health information and thus take responsibility for it as required by the HIPAA.
At DATASHIELD we help IT teams stay in front of the changes to HIPAA compliance specifically the HITECH act. Ensuring proper policies, procedures and most importantly reporting is in place to stay within regulatory guidelines is a core part of our service offering. We also help organizations maintain the proper retention standards including creating strategies around data loss prevention. Contact Us to learn more.