HIPAA is the Health Insurance Portability and Accountability Act of 1996 that was enacted by Congress and signed into law in 1996. There are many provisions to HIPAA covering many items mostly dealing with health insurance and regulations on what can be offered and how. Additionally, HIPAA also details regulations about a patient’s right to access your protected health information. But where HIPAA comes into play in the IT realm is in the privacy aspect of the protected health information.
Protected Health Information, or PHI, is basically a patient’s health record as it sits in an Electronic Health Record (EHR) system or in any files or folders on a computer where patient data lives. It could be anything regarding health status, if a patient has health care, health care payments, etc. One of the provisions of HIPAA is the Privacy Rule. It states that covered entities are to ensure that PHI is protected from unauthorized access by documenting and putting in place policies and procedures regarding privacy of health records.
What is HIPAA compliance?
First off, HIPAA compliance is not a certification that you receive from a company or from the government. HIPAA compliance is an ongoing process of developing and documenting privacy policies and training employees on those policies. Additionally, HIPAA requires covered entities to appoint a privacy official and a contact person responsible for receiving HIPAA privacy complaints and to train other employees.
Covered entities are mentioned in a previous paragraph. Covered entities are generally healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical services providers (doctors, hospitals, clinics, etc). Additionally, if you are a covered entity, and you allow another business access to your PHI, they are a business associate and you must have an agreement with them detailing that the business associate will appropriately safeguard PHI. Business associates as the law states are “legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates.”
I need to be HIPAA compliant. What do I need to do?
First, you should review the US Department of Health & Human Services website on HIPAA available at https://www.hhs.gov/hipaa/index.html. They have a wealth of information on HIPAA and how it applies to professionals and steps that need to be taken.
Second, you’re going to need to come up with privacy policies and procedures for your business. SandStorm IT has policy templates available if you need guidance. Some covered entities engage law firms that specialize in HIPAA compliance law to develop policy documentation for the business and train individuals on what needs to be done. Larger covered entities have departments that deal with HIPAA compliance.
Finally, you’re going to need to deploy the policies and procedures to your workforce and ensure that these individuals adhere to them. When new employees come onboard, they’ll need to be trained on these procedures as well. Don’t forget about having business associate agreements in place with your vendors who access your PHI.
As always, if you have any questions regarding HIPAA compliance or any other technology needs, contact your on demand IT partner SandStorm IT at (901) 475-0275.