Ensuring that your health industry business complies with the Health Insurance Portability and Accountability Act or HIPAA is often considered a costly burden and another red-tape requirement. A majority (69%) of businesses view compliance as the cost driver for setting up compliance programs. But a similar number of companies (64%) note that HIPAA is a very effective method to keep health data safe. It is a crucial step to take to protect both your clients and your company from data breaches and additionally from non-compliance fines if a breach occurs.
Therefore, becoming and staying HIPAA compliant is critical for those with health businesses. Your first step is to review the rules and regulations. There are four main rules that you need to understand and follow: the security rule, the privacy rule, the enforcement rule, and the breach notification rule. Read on to learn the rules and how to comply with them.
HIPAA Security Rule
You are required to preserve the integrity, confidentiality, and security of protected health information (PHI). This can be achieved through a combination of technical, administrative, and physical safeguards.
Technical safeguards are the security tools you put in place to keep health data secure and confidential. This should include internet compliance and security tools such as access control systems, encryption, and audit controls to ensure that all your processes follow HIPAA requirements.
Administrative safeguards are policies you institute to ensure that your entire workforce abides by all the HIPAA requirements. At a minimum, these policies should outline how employees handle and protect the information, regular employee HIPAA training, use of security tools, and a schedule for review of the policies and the overall HIPAA program.
Physical safeguards address access to PHI. These include building access controls, computer workstation security, device and media controls, and computer use policies. Locks on physical file cabinets and passwords on computer stations will restrict access by unauthorized personnel.
HIPAA Privacy Rule
You must protect the confidentiality of medical records and health information. Access to health data should be limited to a need-to-know basis. Patient information handled by health care facilities, clearing-houses, payment processors, and health plan providers must be restricted to authorized personnel only.
The privacy rule gives patients some control over the information your business collects. You must allow them to review their personal data in your files. They can request changes to their data if there are errors.
HIPAA Enforcement Rule
There are significant fines for failing to follow any HIPAA requirements. Several agencies regulate HIPAA and have the power to address improper usage or disclosure of protected health information. These include the Center for Medicare & Medicaid Services (CMS), the Department of Health and Human Services (DHHS), and the Department Of Justice (DOJ).
HIPAA Breach Notification Rule
Not all data breaches can be avoided, but handling them correctly is very important. You must notify affected patients and businesses of any data breach as soon as possible. Additionally, if more than 500 patients are affected, you must also inform the public and media. This helps ensure notice and protects impacted people from identity theft.
Why Obtain HIPAA Certification
Most health organizations or companies require proof that your business is fully compliant with HIPAA requirements before working with you. You need to show that your workforce is trained on HIPAA guidelines, that you have security tools and protocols in place, and have administrative policies to protect the integrity and safety of patient data. There is no official government certification body, but several companies offer certification services.
Certification demonstrates that all requirements are in place for your Business Associate Agreement (BAA) and HIPAA compliance. These third-party audits catch issues in your compliance program so you can address them before you have a breach or incur regulatory fines. They can help you monitor your program and security to ensure that you can correct any non-compliance problems.
HIPAA vs. Security
HIPAA does not equal cyber-security in the health industry and should not be your only security program. HIPAA has good rules for securing health information, but it doesn’t protect your business from evolving cyber threats. HIPAA rules haven't changed much despite the constant and rapidly evolving cyber-security world.
Invest in cyber-security and use it alongside and to support your HIPAA program. HIPAA compliance and internet security should be separate departments. Both are necessary to protect your business and your clients fully.
Protect Your Business
Staying HIPAA compliant requires you to safeguard patient health information, control access to that data, implement training programs and work with HIPAA compliant businesses. Being compliant allows you to work with more companies. Remaining compliant helps secure the sensitive information you collect and protects your company from significant regulatory fines. Compliance and security are right for your bottom line!
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and ElectricalEngineering from MIT.