The Health Insurance Portability and Accountability Act (HIPAA) sets forth requirements for securing patients’ protected health information (PHI). HIPAA compliance applies to Covered Entities and Business Associates and requires organizations to implement measures to conform to the physical, technical, and administrative safeguards outlined by HIPAA. Jump to resource links -->
To be HIPAA-compliant, companies must understand and comply with all aspects of the regulations. HIPAA first went into effect in 1996, and several amendments have been added in subsequent years. HIPAA now includes five rules:
When an organization claims to be HIPAA-compliant, it means that they have conducted a security risk assessment, developed a risk management plan, and implemented the policies and procedures necessary to conform to the administrative, physical, and technical safeguards required by HIPAA. Some organizations undergo third-party audits to prove compliance. HIPAA compliance is a continuous process, however, so remaining HIPAA-compliant requires ongoing diligence to ensure the protection of sensitive patient health information.
HIPAA gives patients access to their healthcare data, reduces fraud, and ensures confidentiality and privacy for sensitive patient information. HIPAA has also helped to streamline healthcare administration functions and improve efficiency. HIPAA compliance is not a choice; any organization or entity that creates, uses, transmits, or stores personally identifiable health information is required to comply to avoid costly fines and penalties. In fact, Covered Entities will only conduct business with HIPAA-compliant partners and subcontractors, such as service providers that handle PHI. For these businesses, HIPAA compliance is crucial to earning the business of healthcare organizations and other Covered Entities.
The HIPAA compliance requirements primarily consist of implementing all the mandatory standards and safeguards set forth in the HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule, while Covered Entities must also comply with the requirements set forth in the HIPAA Privacy Rule.
The HIPAA Security Rule includes technical, administrative, and physical safeguards covering a variety of data security measures, such as conducting risk assessments, implementing employee security training, developing policies and procedures for handling PHI, implementing access controls, data encryption, and more. While some of the standards are required, others are ‘addressable.’ However, addressable does not mean that organizations can simply opt out of meeting the standard; rather, there must be a justifiable reason the safeguard cannot or should not be implemented, or an alternative may be implemented that adequately meets the same objective.
As healthcare moves to the cloud, organizations are looking for low-cost ways to provision the complex IT infrastructure and HIPAA-compliant applications, storage, and networking solutions that support a variety of core organizational functions to healthcare providers.