Free up to 1MM monthly messages. No credit card required.
The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was passed in 1996 to protect patients' private, identifiable medical information. Signed by President Bill Clinton, the Act includes five sections or titles.
Title I protects individuals with pre-existing medical conditions from coverage denial by group health plans and provides the COBRA program for medical insurance coverage for those who no longer have a policy because of a job change or loss. Title II regulates the security of electronic health data and creates a standard procedure for this type of transaction. Title III includes general tax-related guidelines for health care. Title IV provides insurance coverage reform and Title V regulates insurance owned by businesses and provides coverage to those who have lost citizenship. Companies that handle private health data have a responsibility to ensure that this data remains protected.
The text of HIPAA refers to “individually identifiable health information”. This term encompasses any details about a person's physical or mental health status and treatments he or she has received for these conditions, as well as how the person has paid for care. This protected health information (or PHI) is summarized into 18 HIPAA identifiers.
HIPAA limits how protected health information can be used and disclosed with and without patient authorization. If you store patient data in the cloud, you must implement HIPAA compliant cloud storage to ensure proper data protection. When patient data is available to individuals outside of a patient’s healthcare team, it constitutes a HIPAA violation. Under HIPAA, every individual has the right to obtain and request changes to his or her health records. Businesses must respond to record requests within 30 days and notify patients about how their data will be legally shared and used.
Any business that handles protected health information must comply with the terms of HIPAA. These laws apply to businesses categorized as covered entities, including health care providers, health insurance plans, healthcare billing services and employers, and government agencies that enroll individuals in health plans. If you communicate with your patients digitally, you must ensure HIPAA compliant chat. These standards also carry over any video conferencing that involves patient data.
Business associates must also adhere to HIPAA regulations. This category includes subcontractors and vendors who have PHI access, including but not limited to data storage and processing companies, medical equipment companies, consultants, transcription services, auditors, and accountants. Businesses that send or receive personal health data must ensure that their electronic systems comply with the regulations outlined by HIPAA. Use our HIPAA Compliance Checklist to see if your business adheres to basic HIPAA requirements.
Although a robust information security system that protects HIPAA-covered data can be quite costly, the fines for failing to meet these federal regulations are also expensive. Businesses are subject to:
If PHI is breached, the business responsible must notify the Department of Health and Human Services. It must disclose information about the nature of the breach, if PHI was viewed or obtained, and if the breach has been corrected.
If your company currently handles PHI, electronic communications must be limited to software with messaging encryption that meets minimum HIPAA guidelines. The law outlines certain technical safeguards businesses must have in place to avoid compliance-related fines:
In addition to electronic safeguards, businesses should also use physical and administrative safeguards to shield PHI. Physical safeguards include systems to detect and thwart tampering and theft, controlled access to physical PHI storage locations, policies, and procedures for workstations and mobile devices that allow PHI access and dedicated hardware inventory for these machines.
Administrative safeguards create a company culture that prioritizes HIPAA compliance. These steps may include establishing a risk management policy, conducting regular risk assessments, training employees on best practices to protect electronic health data, developing and testing a contingency plan to correct PHI security errors, restricting third-party access to electronic systems, and promptly reporting all suspected PHI breaches.
A Notice of Privacy Practices (NPP) is one of the requirements of HIPAA and helps patients understand their personal data rights.
HIPAA violations can be financially expensive and devastating to a brand. Examine some examples of HIPAA violations, and learn...
HIPAA covered entities must follow the five technical safeguards to achieve HIPAA compliance and prevent data corruption.