The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards to manage the use and disclosure of Protected Health Information (PHI). It is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization directly or indirectly working with PHI.
The Department of Health and Human Services (HHS) regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.
While the Act was passed in 1996, there have been several amendments to keep up with technological advancement:
- The Security Rule Amendment of 2003
- Technical Safeguards
- Physical Safeguards
- Administrative Safeguards
- The Privacy Rules Amendment of 2003
- The HITECH Act and Breach Notification Rule of 2009
- The Final Omnibus Rule of 2013
The Final Omnibus rule of 2013 streamlined HIPAA compliance rules to include any business that stores, manages, records, or transfers Protected Health Information (PHI). These businesses are called ‘Business Associates’ under HIPAA. This broad term includes all vendors and subcontractors who directly or indirectly work with Healthcare Providers.
Currently, HIPAA consists of 5 main rules:
- HIPAA Privacy Rules
- HIPAA Security Rules
- HIPAA Enforcement Rules
- HIPAA Breach Notification Rules
- HIPAA Omnibus Rule
There are additional rules that relate to transactions and code sets, in addition to unique identifiers. HIPAA compliance focuses on specific data privacy rules to protect sensitive patient data. Its aim is to create a culture in the healthcare industry to ensure protected health information’s privacy, integrity, and security. Annual HIPAA training of all personnel who come in contact with patient data is one of many aspects of the Act that ensures all stakeholders are involved and they understand their role in protecting PHI.
We recommend that IT professionals, CTOs, and CISOs carefully examine the details of the Administrative, Technical, and Physical Safeguards outlined under the Security Rule to ensure their IT systems are HIPAA compliant.
If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.