HIPAA is made up of different sections, called Titles, with Title I and Title II being the most important. Title I focuses on the portability part of the law, ensuring that insurance plan isn’t denied when health workers switch or get laid off from their jobs.
The health insurance portability part has had the biggest impact on some people’s lives. However, for those in healthcare administration or IT, it is Title II that keeps them up at night. Title II focuses on the accountability part of the law’s name.
Title II mandates that anyone who comes into contact with an individual’s medical records must take active steps to keep the data private and secure. The people and organizations who fall under the law’s umbrella, often termed as covered entities do not just include obvious candidates like doctors and nurses but also IT vendors or third-party billing companies and anyone who touches patient information.
On that note, let’s take a look at the most important rules of this law.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was developed in 2003 and set restrictions for how Protected Health Information (PHI) should be developed. It imposed a balancing act on covered entities. At one end of the spectrum, it understands that for the healthcare system to function properly, PHI needs to be accessed by various individuals, organizations, and other entities. On the other end of the spectrum, it mandates that patient’s medical record and personally identifiable information remains secured and private.
The solution to this problem is the HIPAA Minimum Necessary Standard. The Privacy Rule’s minimum necessary standard requires individuals to have access to PHI they need to perform their jobs but nothing beyond that.
To comply with the HIPAA Privacy Rule, providers must take reasonable administrative steps that range from designating a privacy officer to training staff members of Privacy Rule requirements to providing patients with the Notice of Privacy Practices (NPP).
The Privacy Rule also mandates that patients themselves can access their own medical records and may even make copies or amendments upon request.
The HIPAA Security Rule
The HIPAA Security Rule can be quite extensive and arduous to follow. Covered entities, as well as business associates, must implement appropriate administrative, technical, and physical safeguards to protect PHI in electronic forms (ePHI). The safeguards must be reasonable and appropriate in congruence with the practice or business functions. Examples of administrative measures include workforce training and risk analyses, physical safeguards include installing CCTV cameras, and technical measures like implementing cybersecurity software solutions.
The overall objectives should be to:
- Ensure the confidentiality, integrity, and availability of all ePHI handled or transmitted
- Protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated but impermissible uses or disclosures
- Ensure workplace compliance
The good thing is the Security Rule does not mandate any specific measures. Instead, organizations have the flexibility to apply appropriate safeguards depending on the size, environment, and technical aspects of their business. But this flexibility also brings with it ambiguity for organizations as to whether their implementations are truly HIPAA compliant.
Besides a bulk of that is involved in meeting the requirements of the HIPAA Privacy and Security Rule, there are also some other minor requirements as well. Such as all covered entities must have a National Provider Identifier and adhere to the Transaction and Code Set Standards for electronic data interchange.
Due to the complexity of the HIPAA Privacy and Security requirements, there are software packages that can help your company in compliance with the law. Some compliance solution providers even offer customized solutions to your company’s needs as well as resources like training and certification.
Keep in mind that it’s not just doctors and nurses that need to comply with the law. Anyone selling products or services to anyone in the healthcare industry must be aware of the HIPAA rules and requirements. This may even include lawyers, computer programmers, cloud service providers, or anyone that may come into contact with medical records.