The Health Insurance Portability and Accountability Act, also known as HIPAA, is the federal law that protects patients from having their sensitive health information disclosed without their permission. The law, enacted in 1996, established national standards for the protection of certain personal health information. The law is enforced by the Department of Health and Human Services. Organizations that must abide by the law are called covered entities, which includes health plans, healthcare clearinghouses and any health care provider, as well as the business associates or contract workers that perform functions on behalf of the covered entity.
A number of different organizations and industries are required to be HIPAA compliant. It is not just for healthcare companies; HIPAA compliance is required by any corporation or organization that has any access to patient health information.
As times change and the healthcare field evolves, so has the law. There have been several addendums to the law, including the Security Rule, which applies to electronic patient health information (e-PHI). The Security Rule requires covered entities and their business associates to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI.
Training and Education
Monitoring and Auditing
To achieve HIPAA compliance, there are seven fundamentals that covered entities and business associates must accomplish. Companies must: establish a written comprehensive compliance plan that includes policies, procedures and standards of conduct; designate a compliance officer and committee; conduct training and education; develop effective lines of communication regarding the compliance plan; conduct internal monitoring and auditing; enforce adherence to the plan with well-known disciplinary guidelines; and respond quickly to offenses by taking corrective action.
With more and more contractors working for covered entities, the constantly evolving rules and regulations and the ever-changing cybersecurity threat landscape, maintaining compliance is difficult and complex. However, compliance is critical as noncompliance can lead to large fines, up to $1.5 million per year.
To maintain compliance, companies need to ensure they adhere to the seven fundamentals listed above. They must also be prepared for a HIPAA audit at any time. Companies can do so through self-preparation and detailed documentation. Another important factor in maintaining compliance is understanding the role of cybersecurity.
An effective cybersecurity program will help you stay compliant to HIPAA and other regulations because it protects data against a breach. With the proliferation of electronic health records, a single data breach at a healthcare provider could cause thousands of HIPAA violations if patient information is leaked. To ensure your company and its patient health records are protected, a good cybersecurity plan must include the use of firewalls, protection for all mobile devices, strict guidelines for employees, high-quality antivirus software, a plan to deal with a breach or employee mistake, controlled access to sensitive information, limited network access and restricted access to devices.