HIPAA: What does it stands for?
If you work in or with healthcare facilities, chances are you have heard the term HIPAA. HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA is around to protect patient health information. The actual law can be found here on hhs.gov.
HIPAA: Who has to be compliant?
There are a number of different organizations that need to follow HIPAA.
1. Healthcare Providers
2. Healthcare Plans
3. Healthcare Clearing Houses
4. Healthcare Business Associates
A healthcare provider could be a hospital or private physician practice, it includes your dentist and your eye doctor or you therapist. Any provider that gives you healthcare.
A healthcare plan would be insurance companies.
A healthcare clearing house would be a billing service that the provider uses to either bill insurance or collect from patients.
A healthcare business associate would be any service that the provider uses that could have access to the patient data. This includes IT companies.
What is all included in the HIPAA law?
HIPAA has five sections which are called Titles.
Title I protects health insurance coverage for individuals who lose or change jobs and also prevents group health plans from denying or limiting certain coverages.
Title II gives the U.S. Department of Health and Human Services the power to establish national standards for the health care industry when processing electronic transactions. It also requires health care organizations to secure electronic access to health data to remain in compliance.
Title III includes tax-related provisions and guidelines for medical care.
Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.
Most of what you hear about HIPAA is Title II. Most people don’t even know the other sections exist. Title 2 also has three rules.
1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
The HIPAA privacy rule defines what type of data is protected and defines PHI or Protected Health Information. The privacy rule is also the rule that defines what rights a patient has to their data.
The HIPAA security rule defines standards to protect ePHI or electronic Protected Health Information. Your IT professional should be knowledgeable with what this rule requires.
The HIPAA enforcement rule defines the penalties for violations.
What happens when you get breached and how does it get reported?
If you get breached, you need to start an internal investigation immediately to figure out how many records were accessed. If you can’t prove that a record was not accessed, then it is assumed that the record was accessed. If your total count is over 500 records breached, then you need to report to HHS and you need to report to the media as well as notify each patient individually. Breaches must be reported to HHS within 60 days. You can report breaches here. You can view all breaches over 500 at HHS website.
A HIPAA breach is not a joke. Your practice could lose millions of dollars in fines. This is why you need a competent IT company that is well-versed in the HIPAA law and can help you write the policies for your organization. Proactive Tech Wiz can help you become HIPAA compliant!