HIPAA is a set of federal regulations that governs how healthcare providers, payers, and other health service organizations must protect the privacy and security of patient data. The law was created to ensure patients have access to their medical records. It also protects patients by ensuring the confidentiality of their information and restricts any unauthorized use or disclosures of medical information.
The following tips will help you keep your healthcare business compliant with HIPAA:
HIPAA IT Security tips
HIPAA IT security is about protecting the confidentiality, integrity and availability of electronic protected health information (ePHI).
The following are some HIPAA IT security tips:
- Do not use email for PHI. Emails can be intercepted as they travel across networks that are shared with many other people. Email messages may also be sent to recipients who don’t have authorization to access them. For example, an email message that contains PHI should not be transmitted through a shared network where it could be intercepted by anyone using the network at any time during transmission or after receipt by the intended recipient;
- Do not use unencrypted devices for storing or transmitting PHI;
- Do not connect unsecured networks (e.g., public Wi-Fi) to your office network because doing so exposes ePHI stored on that device/system – such as laptops, tablets and smartphones – to possible theft or hacking attacks;
- Don’t leave PHI in an open shared folder on your company’s server because anyone who has access rights will be able to view this sensitive information
HIPAA and Business Associates
HIPAA and Business Associates
If you are a business associate of the covered entity, then you have the same responsibilities as an employee. This means that you must abide by all HIPAA Privacy and Security Rules. However, there are some differences between your obligations and those of an employee:
- You are not required to have a HIPAA Security Policy or Breach Plan. Covered entities are required to create these policies as part of their compliance plan with the OCR. If they do not, then they will be considered out of compliance with HIPAA regulations; however, it is possible for a smaller company (like yours) to engage in limited data sharing without these policies in place as long as there is an established relationship between them and their business partners or clients who have access to protected health information (PHI). In this case you should still expect regular reviews from supervisors so that everyone understands what kinds of activities take place within each other’s departments; just remember that written documentation isn’t always necessary!
- You are not required to have a HIPAA Security Policy or Breach Plan. Covered entities are required to create these policies as part of their compliance plan with the OCR. If they do not, then they will be considered out of compliance with HIPAA regulations; however, it is possible for a smaller company (like yours) to engage in limited data sharing without these policies in place as long as there is an established relationship between them and their business partners or clients who have access to protected health information (PHI). In this case you should still expect regular reviews from supervisors so that everyone understands what kinds of activities take place within each other’s departments; just remember that written documentation isn’t always necessary!
Other HIPAA concerns
As we’ve discussed, HIPAA is a set of federal laws that were enacted in 1996 to protect patient privacy and ensure the integrity of electronic healthcare information. As you can imagine, the security of patient data is extremely important—but unfortunately, it’s something that companies often neglect when they’re focused on other concerns.
In recent years there have been many breaches that involved HIPAA violations:
- The Anthem breach exposed 80 million people’s personal information due to a lack of encryption.
- A hack at Premera Blue Cross exposed 11 million customers’ financial details by exploiting a vulnerability in their website code.
- A ransomware attack shut down Hays County Hospital for over two weeks after hackers demanded $4 million (the hospital refused).
- The Anthem breach exposed 80 million people’s personal information due to a lack of encryption.
- A hack at Premera Blue Cross exposed 11 million customers’ financial details by exploiting a vulnerability in their website code.
- A ransomware attack shut down Hays County Hospital for over two weeks after hackers demanded $4 million (the hospital refused).
There are many things to consider when it comes to healthcare and data privacy.
There are many things to consider when it comes to healthcare and data privacy. HIPAA is a set of federal regulations that govern the use and disclosure of protected health information (PHI). HIPAA is enforced by the Office of Civil Rights (OCR), which can impose penalties for noncompliance up to $1.5 million per violation.
HIPAA applies not only to hospitals and other health care providers, but also any health plan or their business associates who transmit any health information in electronic form in connection with a covered transaction. Health plans include employers, insurers, HMOs, Medicaid programs and Medicare Advantage plans.
Conclusion
This post is by no means a comprehensive guide to HIPAA compliance. It’s important to note that there are many other factors that can affect your compliance with the law, such as if you have employees who work from home or if you store electronic medical records on paper instead of in an electronic format. However, these tips should give you a good starting point for understanding how HIPAA applies to your business and how it affects the way your company uses sensitive health data.
