HIPAA is the Health Insurance Portability and Accountability Act. Created in 1996 to ensure the security of personal health information for patients around the country, HIPAA is a vital part of not only the healthcare industry, but many other industries that work alongside health care.
Any organization that creates, stores, or processes protected health information has a responsibility to comply with HIPAA regulations. It is an essential part of protecting a patient's personal information, which could be exploited in any number of ways if it is stolen or compromised.
But just who needs to be HIPAA compliant, and how do you become HIPAA compliant?
Who Needs to be HIPAA Compliant?
When understanding who needs to be HIPAA compliant, it's crucial to understand that HIPAA compliance is not relegated strictly to providers. HIPAA was created to apply to both covered entities (those providing healthcare services), as well as their business associates. So what exactly are covered entities and business associates?
Covered Entities
Covered entities that fall under HIPAA compliance rules include three main categories:
-
Health Plans
-
Healthcare Providers
-
Healthcare Clearinghouses
Health Plans
Insurance companies, HMOs, and government health programs like Medicare and Medicaid are all considered to be covered entities.
Healthcare Clearinghouses
Organizations that process medical data, billing, and insurance claims handle large amounts of PHI on behalf of other organizations, making them covered entities under HIPAA.
Healthcare Providers
Healthcare professionals including doctors, dentists, psychologists, pharmacies and nursing homes all handle large amounts of PHI and are considered covered entities.
Business Associates
In addition to covered entities, HIPAA compliance extends to organizations who work with them and manage or access PHI. These organizations are called business associates.
Business associates are any individual or organization who has access to or uses PHI to provide a service to or perform a function on behalf of a covered entity. Business associates must comply with the HIPAA standards if they handle any amount of PHI on behalf of a covered entity (or another business associate).
Some examples of business associates include:
-
Medical billing companies
-
Legal firms working with covered entities
-
IT consultants
-
Third party claims processors
-
Collection agencies
-
Software vendors
-
Cloud service providers
Because of the sensitive nature of their work, there are many types of individuals or organizations that work adjacent to the healthcare industry who need to be HIPAA compliant.
What is Protected Health Information?
We've mentioned protected health information, but what exactly is it?
PHI is any health information that is created or collected that can identify an individual and that relates to a patient's past, present, or future health. This data includes demographic information, demographic identifiers in medical records, like names, phone numbers, emails, and biometric information like fingerprints, voiceprints, genetic information, and facial images. Examples of identifiers include:
-
Names
-
Social Security numbers
-
Medical records
-
Insurance information
-
Payment information
-
Prescription information
-
Treatment plans
-
Biometric information including fingerprints, voicescans and genetic information
That means there is a large range of data that can be classified as PHI. Because this data is extremely personal, it's of the utmost importance that covered entities and business associates take PHI and HIPAA compliance seriously.
How Do I Become HIPAA Compliant?
Achieving HIPAA compliance requires an investment in policy and procedure for handling PHI as well as in training for your workforce. While many businesses hire an experienced HIPAA training company to implement a program and conduct training for their employees, it is possible to establish your own HIPAA training programs in house. The Department of Health and Human Services has a great deal of resources available to help with this.
So how do you become HIPAA compliant? Here are 7 key steps to take towards achieving HIPAA compliance:
-
Conduct a HIPAA Risk Assessment - The first step is to identify weaknesses in your company's current system, then prioritize these risks based on their potential impact.
-
Develop and Implement HIPAA Policies and Procedures - You must develop and maintain clearly defined policies for how your organization handles PHI. Designating a HIPAA compliance officer who oversees HIPAA compliance is crucial.
-
Invest in Employee Training and Education - Any employee who has access to or uses PHI in their role should receive comprehensive training on HIPAA and PHI handling.
-
Implement Safeguards - The HIPAA security rule specifies 3 types of safeguards: Administrative safeguards that dictate how PHI is accessed and stored; Physical safeguards that restrict physical access, including ID badges, locking file cabinets, as well as proper destruction of paper records; and Technical safeguards that protect electronic PHI (ePHI) from unauthorized access through data encryption and security software.
-
Use Business Associate Agreements - These are written agreements outlining approved PHI usage by business associates, how and when PHI is accessed and used, security measures business associates must take, and assurances that PHI will not be used outside of agreed upon usage.
-
Create Breach Notification Protocols - A plan for responding to data breaches, as well as reporting them to the Office for Civil Rights (OCR) must be established.
-
Document Compliance and Ongoing Monitoring - In the event of a breach, documentation showing your compliance will be requested by OCR. Your compliance should be thoroughly documented, as well as regularly monitored and reviewed for areas of improvement.
Maintaining HIPAA compliance is an ongoing process. It requires dedication for covered entities and business associates who have access to PHI. Following these steps will get you started down the path to becoming HIPAA compliant.
HIPAA Compliance Risk for Startups
Startups are often characterized by rapid growth. Sometimes, rapid growth can make it hard to stay in compliance with regulations like HIPAA. However, achieving and maintaining HIPAA compliance is something that cannot be overlooked.
Some of the risks for startups involving HIPAA include:
-
Underestimating the scope of HIPAA.
-
A lack of resources to dedicate to compliance.
-
Focusing on data privacy, but neglecting data security.
-
Misunderstanding obligations. Many startups that work in fields like healthcare technology, fitness and wellness, or patient record keeping do not fully understand their obligations under HIPAA. It is highly advisable to seek legal advice if your startup is in any way involved with healthcare or PHI.
Risks of HIPAA Noncompliance
Companies that neglect their responsibilities to keep PHI secure, or who fall victim to a data breach, can face a wide range of consequences.
There are of course financial penalties: The Department of Health and Human Services can issue steep fines for HIPAA violations. Legal fees defending and settling lawsuits and providing resources to help individuals recover from a security breach can cause significant financial damage.
But there are other consequences that are not as concrete, but damaging nonetheless. For example, falling victim to a data breach can result in significant negative publicity for an organization, causing irreparable damage to consumer trust and reputation.
Some companies may essentially be blacklisted from working in healthcare and health adjacent industries if they are found to be in violation or noncompliance of HIPAA.
In extreme cases of HIPAA noncompliance or violation, civil or criminal charges may be filed.
For these reasons it is critical to take HIPAA compliance seriously. By doing so you can maintain your company's reputation and avoid business interruptions and costly lawsuits.
Conclusion
Whether you are a covered entity, or a service provider working as a business associate dealing with PHI, SVT Law Advisors can help you understand and satisfy your obligations under HIPAA.
SVT is committed to serving our clients with high quality solutions to legal issues involving all aspects of technology law, including HIPAA compliance and training.
Don't risk the consequences of a HIPAA violation. Let SVT guide you on the right path to HIPAA compliance.
Comments
There are no comments for this post. Be the first and Add your Comment below.
Leave a Comment