The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards designs to regulate how companies handle protected health information for their patients. Every medical facility and company with access to confidential patient information is required by law to be HIPAA compliant. To ensure these rules are followed the HITECH Act mandates company audits for HIPAA compliance on an annual basis.
What Is HIPAA Compliance?
Health care providers and other companies with access to patient’s medical records are required by law to follow a specific set of standards that determines how the information is stored, used, and shared. Failure to comply with HIPAA privacy regulations typically results in fines being issued the company, and in some cases, criminal charges are filed and/or civil action lawsuits are pursued.
The Office for Civil Rights (OCR) of the Department of Health and Human Services is responsible for fining and/or filing charges against companies that aren’t compliant with HIPAA regulations. The office doesn’t consider ignorance a justifiable defense, so even if the HIPAA violation was inadvertent, companies are still held responsible. Because of this, companies with access to protected health information typically review HIPAA requirements on an annual or bi-annual basis to ensure any necessary changes are implemented as soon as possible.
What Is the HITECH ACT?
The Health Information Technology for Economic and Clinical Health (HITECH) Act sets regulations for the HIPAA Privacy, Security, and Breach Notification Audit Program. The program requires the OCR to conduct company audits periodically to ensure health care providers are in compliance with the HIPAA privacy, security, and notification guidelines as they are outlined in HIPAA and its amendments.
The bottom line is if your company has access to protected health information, it has to be compliant with HIPAA HITECH is simply the act that regulates how companies are audited, when they’re audited, and the consequences for failure to comply with HIPAA.
Health care providers, medical facilities, and companies that have access to protected health information need to make sure they have technical, physical, and administrative safeguards in place to protect all confidential medical information.
Some of the technical safeguards required include implementing:
- Activity logs and audit controls
- Automatic sign-off features on all PCs and devices
- Tools for encryption and decryption
- A mechanism to authenticate electronic protected health information
- A means of access control
Because the technical regulations are strict, you should consider going paperless. It’s a lot easier to protect electronic patient records than paper ones.
Some of the physical safeguards required include:
- Installing facility access controls
- Implementing workstation use and positioning policies
- Implementing policies and procedures for the use of mobile devices
- Maintaining an inventory of all hardware
Some of the administrative safeguards required include:
- Conducting HIPAA risk assessments at regular intervals
- Introducing a risk management policy
- Continually conducting HIPAA training for employees
- Developing and testing a contingency plan
- Restricting third-party access to protected information and your secured network
- Reporting all security incidents
- Obtain written permission from patients before their health information is used for marketing, fundraising, or research purposes
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires companies to notify patients when there is a breach in the company’s electronic protected health information system. If a breach occurs that affects more than 500 people, companies are also required to notify the Department of Health and Human Services and issue a statement to the media. If a breach affects less than 500 people, companies still need to report it. However, it’s reported through the OCR web portal instead of directly to the Department of Health and Human Services and the media notice isn’t required.
Ultimately, if your company has access to protected health information, it’s important to make sure your business is HIPAA compliant. If it isn’t, your company isn’t all that’s at risk. You’re risking your patient’s personal information too.