What is HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The law established rules for the maintenance and security of Personal Health Information (PHI) and is enforced by the US Department of Health and Human Services (HHS). HIPAA regulations were designed to give organizations guidance on:
- Use and disclosure of PHI
- Access to PHI
- Storage of PHI
- Transmission of PHI
- Breach Notification
HIPAA applies to all organizations that come into contact with PHI data. Those organizations are classified as either covered entities or business associates. Covered Entities are organizations that provide healthcare services including doctors and hospitals, health plans, and healthcare clearinghouses. Business Associates are persons or entities that perform activities on behalf of a Covered Entity that involves the handling of protected health information.
HIPAA standards are built on these 3 rules:
HIPAA Privacy Rule
Dictates when and how PHI can be used and disclosed. The Privacy rule establishes patient rights to control how their health data is used. It also gives patients the ability to access their health records and request errors be fixed.
HIPAA Security Rule
Sets standards to protect the integrity, confidentiality, and availability of all electronic Personal Health Information (ePHI). A collection of technical, physical, and administrative safeguards.
Breach Notification Rule
Requires that the Department of Health and Human Services be notified after a breach has been discovered.
Achieving HIPAA Compliance
To be HIPAA compliant, your organization must implement policies and procedures and meet the standards of the privacy, security, and breach notification rules.
A good first step to HIPAA compliance is conducting a risk assessment to determine your existing risk exposure and how your current controls measure up for compliance. The data from the assessment can be used to build a HIPAA roadmap.
After the risk assessment, consider performing an audit comparing your current policies, processes, and practices to the HHS Office of Civil Rights Audit Protocol.
At this point, you will be able to confidently implement policies, procedures, and technologies that are compliant with HIPAA standards.
Once you’ve reached HIPAA compliance, it is important to ensure the program remains up-to-date and accurate. Always be aware of changes in the HIPAA rules, and account for any changes within your ecosystem that could impact compliance. HIPAA requires organizations to do continuous monitoring and periodic risk assessments to ensure compliance with the requirements.
The Risk of Noncompliance
The penalties for a HIPAA violation can range from $137-$68,928 per incident, with a maximum penalty of $2,067,813 over a calendar year. The damage to your organization’s reputation caused by a data breach or HIPAA fine could impact revenue for years to come.
How we can Help
At CompliancePoint we have a team of experienced professionals from the healthcare and security industries that can help guide you through every step of the HIPAA compliance process. We can evaluate your security policies and procedures against HIPAA standards through a HIPAA assessment. We will identify any existing gaps and help you develop a plan for remediation. When your updated policies are implemented, CompliancePoint conducts a final audit review and issues a report of compliance. The report gives authorities, partners, and leadership proof of your organization’s compliance validated by a non-biased third party.
The CompliancePoint HIPAA Compliance Program assists in establishing and meeting the requirements by assessing the general and application control requirements throughout Covered Entities and their Business Associates’ various business functions.
Frequently Asked Questions
HIPAA is the Health Insurance Portability and Accountability Act. It is a law that was established in 1996. HIPAA is a set of standards designed to protect the security of Personal Health Information (PHI). The law is enforced by the US Department of Health and Human Services (HHS).
The HIPAA Privacy Rule sets standards for the use and disclosure of PHI. It gives patients the right to control how their health data is used. It also allows patients to access their health records and request errors be fixed.
HIPAA violation can result in civil penalties as large as $68,928 per incident, with a maximum penalty of just over $2 million over a calendar year.
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year in prison. The criminal penalties increase to $100,000 and up to a five-year prison sentence if the wrongful conduct involves false pretenses, and to $250,000 and up to a 10-year sentence if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions.