Couple of weeks back, some of my colleagues had approached me to get some basic understanding on HIPAA. As part of our regular knowledge sharing session at Gorisco, I had given a presentation on this recently. I realized that probably it would be a good idea and helpful to others if I can write a short blog on this based on my 17 years of experience in Healthcare RCM.
So, here it is…
HIPAA – Health Insurance Portability and Accountability Act
If you are involved with the US – Healthcare industry it is pertinent to clearly understand the basics of HIPAA.
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act (1996) is an evolving law which governs how PII in PHI is processed. Any organization which has contact with PHI would need to implement processes which protect the privacy, security and integrity of the PHI.
OK! What is PHI? Some of the acronyms frequently used under HIPAA are:
PHI : Protected Health Information
PII : Personally Identifiable Information
OCR : Office of Civil Rights
OIG : Office of Inspector General
HHS : Department of Health and Human Services
BAA : Business Associate Agreement
HIPAA was enacted to establish the “meaningful use” and disclosure of PHI. HHS regulates the compliance while OIG and OCR enforce the compliance. PHI contains both PII and the respective health information.
Why is HIPAA important?
The bottom line is that HIPAA is a LAW and therefore has to be followed.
What does HIPAA aim to achieve?
Ensure privacy and confidentiality
Ensures that patients have access to their accurate healthcare data
Ensures Data security
HIPAA provides organizations handling PHI a framework that safeguards who has access to PHI and why is the access required and to whom the access is provided to.
Any organization dealing with PHI should have sufficient measures to ensure Physical, Network, Environmental, People and Process security in place to be compliant. HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information. Staff must be trained and frequently assessed. Failsafe on systems to be put in place.
Common HIPAA violations
Discussing PHI outside designated area.
Sending PHI to incorrect party
Business Associate breach
Hack attack and or Virus attack
Lost, stolen or compromised media devices
Social media updates
How to comply?
Processes that businesses should be following the 5 rules:
Unique identifiers rule
These 5 rules can be enforced by implementing the following:
Information Risk assessments
Policies, procedures and Employee trainings
Supply chain/ Business Associate management
Business continuity management
Trust me – with my experience, I can tell you that HIPAA implementation is NOT a one-time implementation exercise. The processes would need to be constantly reviewed.
HIPAA is stringent. Having said that, it is also very flexible that it can be implemented accordingly based on the size and nature of the entity. (Yeah! Context of the Organization). It is important to note that HIPAA cloud implementation will be different from a hospital implementation.
HIPAA’s recommendations can seem pretty thorough; however, in today’s threat landscape it has the firepower to enable us to protect sensitive data.
Cost of non-compliance is pretty steep! Trust me, it is very cost effective to be compliant on HIPAA and does total justice to the ROI.