By Ken Lynch, founder, Reciprocity.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including: