HIPAA Compliance

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) sets forth requirements for securing patients’ protected health information (PHI). HIPAA compliance applies to Covered Entities and Business Associates and requires organizations to implement measures to conform to the physical, technical, and administrative safeguards outlined by HIPAA. Jump to resource links -->

What Does It Mean to Be HIPAA-Compliant?

To be HIPAA-compliant, companies must understand and comply with all aspects of the regulations. HIPAA first went into effect in 1996, and several amendments have been added in subsequent years. HIPAA now includes five rules:

  • HIPAA Privacy Rule – The HIPAA Privacy Rule establishes patients’ rights to access their PHI. This rule applies only to covered entities, not to business associates.
  • HIPAA Security Rule – The HIPAA Security Rule outlines standards for securing PHI and includes three categories: physical, administrative, and technical safeguards.
  • HIPAA Breach Notification Rule – The HIPAA Breach Notification Rule is a set of standards and processes organizations must follow in the event of a data breach that includes PHI.
  • HIPAA Omnibus Rule – The HIPAA Omnibus Rule mandates that business associates, in addition to covered entities, must comply with HIPAA and establishes rules for Business Associate Agreements.
  • HIPAA Enforcement Rule – While the HIPAA Enforcement Rule doesn’t contain any requirements for Covered Entities or Business Associates related to compliance, it does outline the procedures for investigations and hearings following a breach of PHI and the penalties that may be imposed on entities responsible for an avoidable breach.

When an organization claims to be HIPAA-compliant, it means that they have conducted a security risk assessment, developed a risk management plan, and implemented the policies and procedures necessary to conform to the administrative, physical, and technical safeguards required by HIPAA. Some organizations undergo third-party audits to prove compliance. HIPAA compliance is a continuous process, however, so remaining HIPAA-compliant requires ongoing diligence to ensure the protection of sensitive patient health information.

Why Is HIPAA Compliance Necessary?

HIPAA gives patients access to their healthcare data, reduces fraud, and ensures confidentiality and privacy for sensitive patient information. HIPAA has also helped to streamline healthcare administration functions and improve efficiency. HIPAA compliance is not a choice; any organization or entity that creates, uses, transmits, or stores personally identifiable health information is required to comply to avoid costly fines and penalties. In fact, Covered Entities will only conduct business with HIPAA-compliant partners and subcontractors, such as service providers that handle PHI. For these businesses, HIPAA compliance is crucial to earning the business of healthcare organizations and other Covered Entities.

What are the HIPAA Compliance Requirements?

The HIPAA compliance requirements primarily consist of implementing all the mandatory standards and safeguards set forth in the HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule, while Covered Entities must also comply with the requirements set forth in the HIPAA Privacy Rule.

The HIPAA Security Rule includes technical, administrative, and physical safeguards covering a variety of data security measures, such as conducting risk assessments, implementing employee security training, developing policies and procedures for handling PHI, implementing access controls, data encryption, and more. While some of the standards are required, others are ‘addressable.’ However, addressable does not mean that organizations can simply opt out of meeting the standard; rather, there must be a justifiable reason the safeguard cannot or should not be implemented, or an alternative may be implemented that adequately meets the same objective.

Lyniate Acquires Integrate from Datica