Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law, mainly focused on protecting sensitive patient health information from being disclosed without the patient's consent or knowledge. The law that provides baseline privacy and security standards for medical information of US citizens and included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security
Healthcare information regulated by HIPAA is called protected health information (PHI). PHI is any demographic information that can be used to identify a patient. PHI can include a patient’s name, address, Social Security Number, insurance ID number, medical record, full facial photograph, and others.
HIPAA compliance involves fulfilling the requirements of the HIPAA of 1996, it’s subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Applicability of HIPAA
Under HIPAA regulation, there are two classes of healthcare organizations that must be HIPAA compliant. These are:-
Covered Entity- A covered entity is a health care provider, a health insurance plan or a health care clearing houses whose activity is to creates, maintains or transmits PHI. Most health care providers employed by a hospital are not covered entities. The hospital is the covered entity and responsible for implementing and enforcing HIPAA complaint policies. Examples like
Business Associate- Person or business that provides a service to or performs a certain function or activity for a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. Examples like IT Managed Services, Hosting providers, Medical Transcription Services, Billing Services etc.,
Since HIPAA legislation passed in 1996, Department of Health and Human Services (HHS) added multiple Rules to protect patients Privacy and Security of the patients data.
HIPAA rules that require healthcare organizations — and their business associates — to protect patient privacy and secure patient data by ensuring technical, physical, and administrative safeguards are in place and adhered to, that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and that – should a breach of PHI occur – they follow the procedure in the HIPAA Breach Notification Rule.
HIPAA Compliance required on the following rules.
- Security Rule
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- Privacy Rule
- Breach Notification Rule
- Omnibus Rule
- Enforcement Rule
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearing houses and – from 2013 – the Business Associates of covered entities.
The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
Breach Notification Rule:
The HIPAA Breach Notification Rule sets standards for the process that covered entities and business associates must follow in the event of a breach. The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.
HHS enacted the  final Omnibus Rule  in 2013 to address policy gaps in earlier HIPAA rules. Most notably, the Omnibus Rule defines the role of business associates, which were not previously subject to HIPAA rules, and outlines the criteria for Business Associate Agreements (BAAs) which must be executed between organizations sharing PHI before any information is transferred, handled, or maintained.
The  Enforcement Rule  empowers HHS to enforce the Privacy and Security Rules. It gives OCR the authority to investigate HIPAA complaints, conduct compliance reviews, perform education and outreach, and  levy fines  of up to $1.5 million. OCR also works with the Department of Justice to refer possible criminal violations of HIPAA.  Read more about HIPAA Rules
Steps to became HIPAA Compliant:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Need more insights ? Get in touch with our experts for any queries on HIPAA Assessment and Compliance.