The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have process security measures in place and follow them to ensure HIPAA Compliance.
As healthcare data is becoming more accessible through electronic means, the risks posed to its security have grown exponentially. To ensure this sensitive information remains protected, HIPAA compliance must be taken seriously - now more than ever before. Health plans are embracing technology by providing access to claims and other helpful applications; however, they also need to guarantee these advancements won't compromise patient privacy or safety in any way.
Four primary rules define the structure and meaning of everything related to compliance requirements:
Establishes the national standard for patients’ rights to privacy and private information. It sets up the framework that dictates what ePHI is, how it must be protected, how it can and cannot be used, and how it can be transmitted and stored. In this rule, ePHI is defined as any identifiable patient data being subject to privacy covered by the covered entity or any business associated. This is what is called “protected health information” and includes:
1. Any past, present, or future documentation on physical or mental conditions
2. Any records about the care of the patient
3. And records referencing past, present, or future payments for healthcare.
Established the national standards for the mechanisms required to protect ePHI data. These mechanisms extend across the entire operation of the covered entity, including technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of ePHI.
1. Administrative. This includes policies and procedures that impact ePHI as well as the technologies, system design, risk management, and maintenance related to all other security measures. It also includes aspects of healthcare administration like Human Resources and employee training.
2. Physical. Physical safeguards secure access to physical equipment—including computers, routers, switches, and data storage. Covered entities are required to maintain secure premises where only authorized individuals can access data.
3. Technical.Cybersecurity includes computers, mobile devices, encryption, network security, device security, and anything related to the actual technology of storing and communicating ePHI.
Specifies what happens when a security breach occurs. It’s almost impossible to protect data with 100% effectiveness, and organizations need to have plans in place to notify the public, and victims of a HIPAA breach, about what has happened and what their next steps are.
The Omnibus Rule states that compliance obligations cover the Business Associates and contractors. Accordingly, this means that Covered Entities are responsible for any potential violations of Business Associates and contractors, and need to update their gap analysis, risk assessment, and compliance procedures accordingly.