What are the major things addressed in the HIPAA law?

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

The Health Insurance Portability and Accountability Act (HIPAA) law was established in 1996 to set national standards for the security, confidentiality, and conveyance of personal health information.

Under the HIPAA Privacy Rule, all healthcare practices and professionals are required to protect and secure protected health information (PHI). If you run are a healthcare professional who’s planning to run a healthcare practice, it is vital that you familiarize yourself with the HIPAA law.

The following are the things addressed in the HIPAA law that you should know about:

Privacy

The HIPAA Privacy Rule was put in place to regulate the use and disclosure of PHI held by healthcare practices and professionals. This rule requires healthcare practices and professionals to take appropriate measures to protect the privacy of their patients’ personal health information. The information, both paper and electronic, that should be safeguarded includes both patients’ medical records and payment records.

The HIPAA privacy rule also lays down limits and conditions on the uses and disclosures that may be made of PHI without the authorization of the patient. It also gives patients’ control over their health information. This includes the right to examine their health records and obtain a copy of the same. Patients also have the right to request corrections to be made on their personal health information.

Security

The HIPAA Security Rule deals particularly with electronic PHI (ePHI) and presently applies to all health care providers, health plans, and business associates that use, store, or transmit ePHI. It is designed to oblige covered entities to manage ePHI appropriately, i.e., prevent unauthorized access to ePHI, prevent unauthorized alteration or destruction of ePHI, and assure access of PHI by authorized users.

The HIPAA security rule lays out three areas of security safeguards that are required for compliance. They include:

Administrative

The administrative security requirements are put in place to ensure patient data is correct and accessible to authorized parties. As a healthcare professional or business, there are several administrative requirements that you must fulfill to be compliant of the HIPAA privacy law. They include:

• You must put down your privacy policy and procedures in writing.
• You must instigate a training program for employees so they can learn everything they need to know about your privacy policy and how it applies to their job.
• You must appoint a privacy officer to be in charge of data security and oversee HIPAA compliance. Services like Curogram is a perfect solution for this.
• Identify select employees who will have access to PHI.
• Require all business associates and outside contractors who need to access your patients’ PHI to observe HIPAA security standards and sign a business associates’ agreement that highlights the privacy requirements.
• Carry out internal audits and risk assessments on a yearly basis to establish your organization’s security risk.
• Make documentation of your HIPAA practices available to the government to establish compliance.

Physical

According to Verizon’s Data Breach Report, loss or theft of devices accounts for nearly 35 percent of all data breaches. The HIPAA physical security requirements are geared towards the prevention of physical loss or theft of ePHI. To meet these requirements, you will need to do the following:

• Secure computers in locked desks or behind counters to limit physical access.
• Restrict access to secure areas. 
• Shield computer screens form passersby and keep workstations out of plain public view.
• Follow best practices when disposing of hardware.
• Educate your employees and contractors on best practices for physical safety.

Technical

To ensure that your technology is HIPAA compliant, you must fulfill the following IT requirements:

• Ensure that the files you upload onto a cloud or send via email are encrypted.
• Use security software and encryption to protect your data from accidental changes and deletions.
• Authenticate data transfers to other parties by requiring a password.
• Avoiding data entry mistakes by using redundancy techniques such as double-keying, checksum, etc.
• Back up your data and put an emergency plan in place to prevent data loss in case of a disaster.
•  Come up with a data breach response plan.

For each of these three areas of security safeguards, the HIPAA security rule identifies specific security standards, and for each of these standards, it names both addressable and required implementation specifications. You must adopt and administer the required specifications as stipulated by the rule. You can evaluate your unique situation and find the best way to apply those specifications.

Conclusion

Compliance of HIPAA rules and regulations is too big of a responsibility for one individual to handle. This means that you will probably need the help of IT contractors, healthcare app developers, HIPAA consultants, and HITRUST CSF to ensure your healthcare practice meet all these standards.

Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Staying ahead of business risks
• Risk management for the insurance industry
• Cybersecurity & higher education
• Securing the cloud