If your organization deals with PHI (Protected Health Information) or ePHI (Electronic Protected Health Information), you may be asking the question “What is HIPAA compliance?”
In short, HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Another question which may be of interest to you is “What are the HIPAA compliance requirements?” Unfortunately, that question does not have such a straightforward answer. In certain areas the requirements of HIPAA are intentionally vague. The reason for this is so that HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with PHI. For the sake of clarification:
A covered entity is a health care provider, a health plan or a health care clearing house who, in its day-to-day activities, creates, maintains or transmits PHI. However, there are exceptions to this definition. For example, most healthcare providers employed by a hospital are not covered entities. It is the hospital that is the covered entity and responsible for implementing and enforcing HIPAA complaint policies.
Employers, despite maintaining health care information about their employees, are not usually covered entities either. This is unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP). In these cases, they are considered to be “hybrid entities” and any unauthorized disclosure of PHI could still be considered a breach of HIPAA.
A “business associate” is a person or business that provides a service or performs a certain function for a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. Examples of business associates include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, to name but a few.
Prior to gaining access to PHI, the business associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it will be used, and whether it will be returned or destroyed once the task it is required for is completed. While the PHI is in the business associate´s possession, the business associate HIPAA compliance obligations are the same as that of a Covered Entity.
Although the HIPAA requirements are intentionally vague, every Covered Entity and Business Associate that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to. Additionally, they must ensure that they comply with the HIPAA Privacy Rule in order to protect the integrity of PHI. Should a breach of this PHI occur, they must also ensure that they follow the procedure in the HIPAA Breach Notification Rule.
All HIPAA-related policies, risk assessments, and reasons why addressable safeguards have not been put in place must be recorded in case of a PHI breach occurring and an investigation taking place to establish how the breach happened. Businesses unsure of their obligation to comply with the HIPAA requirements should seek professional advice.
HIPAA Security Rule
The HIPAA Security Rule contains the standards that must be put in place in order to safeguard and protect ePHI both when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” it is meant as having the means necessary to read, write, communicate or modify ePHI or personal identifiers which reveal the identity of an individual (e.g. name, telephone number, email, etc).