What is HIPAA compliance?
HIPAA compliance helps protect your private health records from theft or improper use. At the highest level, it establishes rules for when and how health care information can be used. Through this, it mostly restricts use to providing health care for the individual. Information can also be used for research and a few other purposes if it is de-identified, meaning that it can no longer be attributed to the individual. However, most health care businesses should expect to apply all protections and treat all health care information as protected.
Do I need to be HIPAA compliant?
Most people think hospitals and doctor’s offices are the only businesses to fall under this requirement. While they are the primary focus, they aren’t the only ones. The law covers two types of business:
- Health plans (insurance providers, HMOs, employers who handle health information of employees)
- Healthcare care providers (doctors, dentists, clinics, hospitals, labs)
- Healthcare clearinghouses (medical billers, health care management software providers)
Covered entities are the primary target of HIPAA compliance. Because of this, they are responsible directly to the US Department of Health and Human Services for compliance.
- Any company that stores or processes health care information for a Covered Entity
- Medical transcription services
- Medical equipment companies
- Anyone who comes into contact with health care information
Covered Entities are required to establish and enforce Business Associate Agreements (BAA) for all partnerships where health information is shared.
In short, if you handle any type of healthcare information that can be attributed to individuals you need to be compliant.
Protected Health Information
Protected Health Information is often called PHI and is any information included in a medical record that can identify an individual and was created and used while providing health care (such as diagnosis or treatment). The law is interpreted rather broadly by all involved. Therefore, any business should err on the side of caution when making the determination of what is and what isn’t PHI.
HIPAA Compliance Requirements
At its foundation, HIPAA comes in two parts: the Privacy Rule and the Security Rule. The privacy rule establishes standards for the protection of individually identifiable health information in any form (e.g., verbal, written, digital, etc.). The security rule establishes standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The security rule goes into great depth with implementation guidance further divided into three categories:
- Administrative safeguards (the structure of your security program and associated processes)
- Technical safeguards (IT and technical controls used to implement program requirements)
- Physical safeguards (protection of your facility and information as it travels outside of your facility)
Each of these categories contains a set of controls, or standards, where compliance is required. These standards are further defined by implementation guidance. These implementation guidance controls can be required or addressable.
- Required implementation guidance must be implemented
- Addressable implementation guidance requires implementation or justification why it is not reasonable or appropriate within the business.
In initial discussions with clients, we often find that they think HIPAA compliance is solely about the technical controls. They just want to change some configurations and install some software and be done with it. Realistically, any compliance framework is about implementing a risk management program. If you only want to make some configuration changes and install some software, you’ll be non-compliant and at-risk again very soon. When you build a program with a foundation and supporting processes, you can actively manage risk and stay in compliance indefinitely.
HIPAA compliance is not just a technical exercise. It’s more focused on risk management.
Overall, HIPAA guidance contains 18 standards, 14 required safeguards, and 22 addressable safeguards. The US Department of Health and Human Services (HHS) provides an ocean of guidance on implementation, but it can be overwhelming. Additionally, the National Institute of Standards and Technology (NIST) provides guidance, as well. As with any compliance framework, there is some room between the controls and the individual implementation items. This allows for each implementing business to make judgement calls within their processes, business culture, and technology. When doing so, however, you should ensure that your decision makers understand the purpose of each control and the meaning of the control’s language. It can be easy to read over that purpose or meaning and miss important parts.
We offer services to audit your current compliance with HIPAA and then help you improve it. Contact us today to schedule a free and confidential consultation on your HIPAA compliance needs.