+91 9324813180
+1 4847906355
+63 9208320598
+44 1519470017
+84 908370948
+7 9639173485
+62 81808037776
+90 5441016383
+66 993367171
+254 725235855
+256 707194495
+46 700548490
Health Insurance Portability and
Accountability Act of 1996 (HIPAA) is a federal law, mainly focused on
protecting sensitive patient health information from being disclosed without
the patient's consent or knowledge. The law that provides baseline privacy and
security standards for medical information of US citizens and included
Administrative Simplification provisions that required HHS to adopt national
standards for electronic health care transactions and code sets, unique health
identifiers, and security
Healthcare information regulated by HIPAA
is called protected health information (PHI). PHI is any demographic
information that can be used to identify a patient. PHI can include a patient’s
name, address, Social Security Number, insurance ID number, medical record,
full facial photograph, and others.
HIPAA compliance involves fulfilling the
requirements of the HIPAA of 1996, it’s subsequent amendments, and any related
legislation such as the Health Information Technology for Economic and Clinical
Health (HITECH) Act.
Applicability of HIPAA
Under HIPAA regulation, there are two
classes of healthcare organizations that must be HIPAA compliant. These are:-
Covered Entity- A covered entity is a
health care provider, a health insurance plan or a health care clearing houses
whose activity is to creates, maintains or transmits PHI. Most health care
providers employed by a hospital are not covered entities. The hospital is the
covered entity and responsible for implementing and enforcing HIPAA complaint
policies. Examples like
Business Associate- Person or business that
provides a service to or performs a certain function or activity for a covered
entity when that service, function or activity involves the business associate
having access to PHI maintained by the covered entity. Examples like IT Managed
Services, Hosting providers, Medical Transcription Services, Billing Services
etc.,
HIPAA Rules:
Since HIPAA legislation passed in 1996,
Department of Health and Human Services (HHS) added multiple Rules to protect
patients Privacy and Security of the patients data.
HIPAA rules that require healthcare organizations — and their business associates — to protect patient privacy and secure patient data by ensuring technical, physical, and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
HIPAA Compliance required on the following rules.
- Security Rule
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards - Privacy Rule
- Breach Notification Rule
- Omnibus Rule
- Enforcement Rule
The Security Rule sets national standards for protecting the confidentiality,
integrity, and availability of electronic protected health information.
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearing houses and – from 2013 – the Business Associates of covered entities.
The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
Breach Notification Rule:
The HIPAA Breach Notification Rule sets
standards for the process that covered entities and business associates must
follow in the event of a breach. The HIPAA Breach Notification Rule requires
covered entities to notify patients when there is a breach of their ePHI. The
Breach Notification Rule also requires entities to promptly notify the Department
of Health and Human Services of such a breach of ePHI and issue a notice to the
media if the breach affects more than five hundred patients.
Omnibus Rule:
HHS enacted the final Omnibus Rule in 2013 to address policy gaps in
earlier HIPAA rules. Most notably, the Omnibus Rule defines the role of
business associates, which were not previously subject to HIPAA rules, and
outlines the criteria for Business Associate Agreements (BAAs) which must be
executed between organizations sharing PHI before any information is
transferred, handled, or maintained.
Enforcement Rule:
The Enforcement Rule empowers HHS to enforce the Privacy and
Security Rules. It gives OCR the authority to investigate HIPAA complaints,
conduct compliance reviews, perform education and outreach, and levy fines of up to $1.5 million. OCR also works with the
Department of Justice to refer possible criminal violations of HIPAA. Read more about HIPAA Rules
Steps to became HIPAA Compliant:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding
promptly to detected offenses and undertaking corrective action.
Need more insights ? Get in touch with our experts for any queries on HIPAA Assessment and Compliance.
.jpg "Data Privacy Day: Understanding Privacy and key aspects")
.jpg "Trust: Built on Compliance and Accountability")
