Back in 1996, the United States Congress passed the Health Insurance Portability and Accountability Act in an effort to help people hold on to their health insurance when they changed jobs. Attached to the HIPAA was Title II that helped prevent fraud and specifically the so-called “Security Rule.” This requires that businesses dealing with sensitive personal information secure it along three major axes: administrative, physical, and technical.
Do You Need to Be HIPAA Compliant?
Are you a Covered Entity? If you are a business that has anything to do with the storing or transmission of healthcare policies or information, you are. The law stipulates that any company that is responsible for protected heath information (PHI) or electronic protected health information (EPHI) must be HIPAA compliant. This extends to anyone dealing not just with information and records, but also with the software used to do so. Everyone from the offices and practitioners themselves to their contracted vendors to the insurance companies they work with are all considered “Covered Entities.”
Administrative and Physical
The first two forms of HIPAA compliance are already familiar to most Covered Entities (CEs). For a long time now, precautions have had to be taken to physically prevent the use or transmission of medical information. What makes this a bit tougher today is the electronic component.
All CEs must have a clear and codified set of policies when it comes to accessing PHI. This means making sure your office has rules in place regarding who can access what information at which terminals. Keeping logs of who is accessing the PHI is essential and other physical limitations need to prevent public access to equipment. As for administrative protections, your business must offer adequate supervision of these physical safeguards. In addition, you must demonstrate other policies in action like training programs and update awareness. You must also be sure to have a set of policies for the event of a breach of security. How you will fix the breach and appropriate punishment must be clear and followed.
The technical safeguards, of course, can be rather tricky. As soon as you’re dealing with EPHI, the risk increases exponentially. Consequently, the technical safeguards focus on security and recovery. For example, it is imperative that an off-site backup exists for all PHI and EPHI that cannot be directly accessed if your primary information system is compromised.
As for ongoing security, HIPAA requires that extensive precautions be taken for any method of PHI transmission. This means that everything from internal databases to interoffice email must be secure.
Finally, the ability to detect unauthorized access or changes made to PHI is critical. To be HIPAA compliant means that you can demonstrate how you would know if your files were breached by a hacker and how you would discover an internal issue with a staff member.
The penalties for noncompliance became much steeper in 2009 when an addendum was attached to incentivize compliance and minimize violations.
Matthijssen can help you become and maintain HIPAA compliance.