HIPAA: A Primer And A Reminder For Those In Healthcare
By Vikash Kumar, manager, Tatvasoft.
A relentless parade of fronts from communication to banking, shopping seems to be unfolded, all thanks to the emerging technology. But somehow healthcare used to stay behind because many of you believed it was too complicated to be fixed. Well, that’s just not true! Now, more than ever, technology has not just succeeded in improving the consumer experience but also has removed the unnecessary cost from the entire healthcare system.
In order to maintain standards of care and improved outcomes for patients, hospitals and medical centers, technology is providing ever-smarter ways like never before. Enacted by the U.S. Congress in 1996, HIPAA was introduced because of the increasing need to address growing technological changes and problems. According to the HIPAA Privacy rule, saving, accessing and sharing of medical and personal information is prohibited. Moreover, it specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically (ePHI — electronic protected health information).
Apart from this, there are a few primary components one needs to be concerned with:
Privacy rules emphasize on what qualifies as PHI (protected health information) and who is mainly responsible for ensuring that nothing would get disclosed improperly. It includes covered entities ranging from health plans to health care clearinghouse, health care providers who have the right to transmit any health information electronically regarding the Department of Health and Human Services (HHS). Other than covered entities, privacy rules even encompass of business associates (anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity).
On the other hand, security rules relate specifically to electronic information and set guidelines for how to secure PHI. Administrative, physical and technical are the three main categories in which it is broken down. As the name implies, administrative revolves around access control and training, physical safeguards are for actual devices, and technical relates to the data itself.
HIPAA Breach Notification Rule is basically a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI and ePHI. This rule, in particular, emphasizes on two kinds of breaches; minor breaches and meaningful breaches. As a result, organizations are required to report all type of breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.
Omnibus Rule: This rule was enacted in order to apply HIPAA to business associates, in addition to covered entities. According to the rule, business associates must be HIPAA compliant.
Need for HIPAA compliance
According to HIPAA regulation, two types of organizations must be under HIPAA compliant.
- Covered entities — A covered entity can be simply defined as any organization that collects, creates or transmits PHI electronically. Healthcare organizations especially the ones which collects and create or transmit PHI electronically. These covered entities include health care providers, health care clearinghouses, and health insurance providers.
- Business associates — Any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. Common examples of business associates include billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants and many more.
What constitutes a HIPAA compliant data center?
First, All the covered entities or companies must be HIPAA compliant and have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media.
Second, allow only the authorized to access electronic protected health data. Access control includes unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
Third, covering integrity controls or measures put in place to confirm that ePHI hasn’t been altered or destroyed. And media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
Fourth, this point concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
HIPAA is not easy to understand. I mean even the most experienced providers can inadvertently go astray when trying to maintain privacy and confidentiality of their patients’ data. So be very careful while using the technology.