By Ken Lynch, founder and CEO, Reciprocity Labs.
If your organization handles protected health information (PHI) or electronic Protected Health Information (ePHI), you should be well aware of the Healthcare Insurance Portability and Accountability Act known commonly as HIPAA. The HIPAA compliance is regulated by the federal government and failure to comply with it can attract penalties. Additionally, non-compliance may have severe consequences!
What are the penalties for HIPAA non-compliance?
Congress enacted HIPAA in 1996 with the primary intention of safeguarding sensitive information as people switched jobs. Additionally, the United States’ Department of Health and Human Services (HSS) established HIPAA Privacy Rule in 2003.
The privacy rule defines PHI as any information handled by a covered entity that concerns the health, treatment, or payment information associated with an individual. As technology related crimes increased, HIPAA focused on ePHI where they created three safeguards in 2005. They include:
- Administrative safeguards concentrate on all the policies and procedures that demonstrate protection of ePHI by a given entity
- Physical safeguards which revolve around controls instituted to limit access to ePHI storage devices
- Technical safeguards which focused on safeguarding all the communication channels used to transmit ePHI over open networks
Definition of covered entities and business associates
According to HIPAA, covered entities are all the bodies that are involved in the handling of a patient’s data. They include healthcare providers such as clinicians, doctors, nurses, pharmacists, dentists, and chiropractors as well as all healthcare plans providers such as the HMOs, health assurance entities, and government programs.
HIPAA also considers all healthcare clearinghouses as covered entities that should comply with its regulations. These bodies process nonstandard health-data that they obtain from the covered entities to transform it into standard data.
Business associates are all the institutions that can access the PHI or ePHI since they are contracted by the covered entities to execute specific activities on their behalf. HIPAA demands that your organization have a written contract that elaborates the responsibility of the business associates in upholding the integrity and confidentiality of the PHI that they handle.
Governing of HIPAA
The privacy and security regulations by HIPAA are enforced by the Office for Civil Rights (OCR) which serves under the Department of Health and Human Services (HSS). OCR provides a platform where you can air your complaints against covered entities as well as their business associates. If you feel that there is a data breach, you should visit the OCR website and submit your claims there for evaluation. Alternatively, you can use their portal, mail, fax, or email services.