If you are working in the field of healthcare and have access to patient information, provide treatment, or support in treatment, you must adhere to Health Insurance Portability and Accountability Act (HIPAA) compliance rules. The folk at online database FindACode.com tell us that HIPAA compliance applies to medical professionals, administrative staff, and anyone else working within the medical field with access to sensitive patient information. But what are the rules?
What is the HIPAA?
The HIPAA was introduced to secure sensitive patient data. Any company that handles protected health information (PHI) must have security measures in place to ensure its security and privacy. PHI includes information pertaining to:
- medical history
- test results
- demographic information
- insurance information.
HIPAA compliance rules apply to covered entities (healthcare providers, clearing houses, and health insurance companies) as well as their business associates. There are three rules under the HIPAA that you need to be aware of if you handle PHI:
The Privacy Rule
The HIPAA Privacy Rule sets the standard for the patient’s rights to PHI. Included in this is the patient’s rights to access their PHI, the healthcare organizations’ rights to deny access to the PHI, and more. The organization must document the HIPAA regulatory standards in their policies and procedures and all employees must be trained on them every year.
The Security Rule
The HIPAA Security Rule sets the standard for the secure protection, maintenance, and handling of electronic PHI (ePHI). It includes administrative, technical, and physical safeguards that healthcare organizations and their business associates must have in place. The standards concerning the security rule must also be in the company’s policies and procedures, with staff trained on them annually.
The Breach Notification Rule
The HIPAA Breach Notification Rule sets the standards for what companies must do in the event of a data breach of PHI or ePHI. There are different standards for reporting said breach that apply to a company based on the size and scope of the breach. All breaches must be reported, but how this is done will depend on the breach type.
Who Must Comply?
As mentioned, covered entities and their business associates must comply with the HIPAA rules. So, if you are a healthcare provider of any size, provide healthcare plans, or are a clearinghouse dealing with patient claim forms, HIPAA compliance is mandatory.
Additionally, if your business is an associate of a covered entity, HIPAA compliance is also mandatory. Any individual or company that handles any PHI or ePHI in the course of their dealings with a covered entity will be subject to HIPAA rules.
There is a common misconception among businesses that because they are not directly operating within the healthcare sector that they do not have to be HIPAA compliant, but this is where many fall foul of the rules. A business associate could include lawyers, financial advisors, or consultancy firms. For example, a shredding company hired by a medical facility to get rid of old patient information is required to be HIPAA compliant, as is a separate billing company that works with a covered entity.
The HIPAA was introduced to ensure all sensitive patient data was kept secure and private by businesses that handle it. This includes what are known as covered entities (healthcare providers, insurance companies, and clearing houses), as well as their business associates (any individual or business that has access to protected health information as part of their dealings with the covered entity).
Companies that need to be HIPAA compliant must include standards for privacy, security, and breach notification in their policies and procedures and ensure staff is trained on them every year.