Back to Insights

What Is HIPAA And How Does It Work?

Compliance 11/29/2019 - 08:35 by Swathi Raju

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed in 1996 by United States legislation. HIPAA Act was implemented to protect the privacy and security of healthcare sector data. This law is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).

Why HIPAA is needed?

  1. HIPAA is a federal law which provides millions of American working families and their dependents with both the ability to transfer and prolong health insurance coverage when they change or lose their jobs;
  2. Restricts the healthcare fraud and abuse;
  3. Encourages the confidentiality of Protected Health Information (PHI);
  4. Mandates industry-wide standards for health care information on electronic billing and other processes

HIPAA aims to provide Portability & Accountability in the healthcare sector.

Titles of HIPAA

HIPAA consists of 5 titles. They are;

  • Title I: Health Care Access, Portability & Renewability – Protects health insurance coverage for working classes and their families when they change or lose their jobs. It limits the new health plans the right to deny coverage in case of pre-existing condition
  • Title II: Preventing Health Care Fraud & Abuse; Administrative Simplification; Medical Liability Reform – requires the establishment of National Standards for electronic health care transactions and national identifiers for workers, employers and health insurance schemes
  • Title III: Tax-related health provisions for medical accounts – Guidelines for pre-tax medical saving accounts. Provides changes to health insurance law and deductions for medical insurance
  • Title IV: Application & Enforcement of group health insurance plans – It offers modifications regarding health coverage
  • Title V: Revenue offset governing tax deductions for employers – Governs company-owned life insurance policies. Allows non-citizens of the United States to get medical aid and financial institution

 

What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act (HIPAA) sets the standards for data protection for sensitive patient information. Organisations dealing with protected health information (PHI) ought to adopt and enforce physical, network and system protection to ensure HIPAA Compliance.

HIPAA can be applied equally to all forms of Covered Entity (CE) or Business Associate (BA) accessing PHI.

What is a Covered Entity?

A covered entity is a health care provider that maintains protected health information (PHI). In other words, the hospital is the covered entity and the health care providers employed by a hospital do not fall under covered entities.  The hospital is responsible for executing and enforcing HIPAA compliant policies.

What is a Business Associate?

A business associate may be a person or a business that performs a service for a covered entity which involves the business associate to access PHI maintained by the covered entity. Business associates includes lawyers, accountants, IT contractors, cloud storage devices etc.

Business associate (BA) must sign a Business Associate Agreement (BAA) with the Covered Entity (CE) prior to access protected health information (PHI) stating the information they shall access, how the PHI shall be used and either retrieved or removed upon the completion of the service. HIPAA compliance obligations applies to both the Business Associate and the Covered Entity upon signing the BAA.

What is Protected Health Information?

Protected Health Information includes personal information of every American in any form of data such as electronic, paper or verbal. Personal identifiable health information relates data such as name, address, date of birth, Social Security Number, medical history etc. HIPAA is imposed by the U.S. Government to secure such data.

What are the rules of HIPAA?

The Department of Health and Human Services (HSS) formulated rules for implementing HIPAA’s Administrative Simplification (AS) title namely,

  1. The Privacy Rule
  2. The Electronic Transactions and Code Sets Rule
  3. The Security Rule
  4. The Unique Identifiers Rule
  5. The Enforcement Rule

What are the standards of the HIPAA Security Rule?

The HIPAA Security Rule comprises of 3 standards of implementation. Covered Entity (CE) and Business Associate (BA) must comply with each of these required standards of implementation. The Security rule requires 3 types of safeguards;

  1. Administrative
  2. Physical
  3. Technical

Administrative Safeguards – requires CE’s and BA’s to perform a risk analysis. A risk analysis requires;

  1. Evaluating the impact of potential risks to Electronic protected heath information (ePHI)
  2. Formulating the required security measures according to the risk analysis
  3. Maintaining documents for the counter measures
  4. Enhancing reasonable security measures

Physical Safeguards – to secure the physical safety of the premises where the ePHI are stored.

  1. Facility Access & Control
  2. Device Security and Work station

Technical Safeguards – includes data back-up, firewalls to protect the ePHI. It consists of

  1. Access Controls
  2. Audit Controls
  3. Integrity Controls
  4. Transmission Security

HITECH Act

Health Information Technology for Economic and Clinical Health (HITECH) Act endorsed in 2009 exerts higher penalties for HIPAA violations and requires data breaches affecting 500 or more individuals to be claimed at the HHS. The HITECH Act also allows the Privacy Rule and Security Rule of HIPAA to apply to the business associates of the HIPAA covered entities.

How to become HIPAA Compliant?

To become HIPAA compliant, the following to be considered;

  1. Determine which HIPAA rule applies to your organisation
  2. Decide how your technology maps to the HIPAA rules
  3. Risk management framework and initiate a risk assessment design
  4. Decide on internal administrative controls like policies and procedures
  5. Conduct audit training for your workforce
  6. Implement and maintain security checkpoints
  7. Respond to potential privacy and security incidents and HIPAA breaches
  8. Use a HIPAA compliance checklist to make sure your organization incorporates all the technical, administrative, and physical safeguards of the HIPAA Security Rule.  
  9. Adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.
  10. Implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI) and develop policies in line with HIPAA, the HIPAA Privacy Rule, the HIPAA Security Rule, HITECH Act and Omnibus Rule
  11. Consider the severity of the higher penalties for HIPAA violations and consequences of HIPAA Breach

Who will check if you are HIPAA compliant?

  1. The Office for Civil Rights
  2. Your Partners and Clients
  3. Third-Party Auditors

Why Teceze for HIPAA Compliance?

At Teceze, we aim to assist you in identifying the HIPAA requirement which is applicable to you. We will walk you through every step that is involved in becoming a HIPAA compliant. Through our HIPAA dashboard, progress is monitored and, we track your risk analysis, risk management, policies and procedures. To assist you in becoming HIPAA compliant, Teceze utilises the latest technology and resources to prevent the loss of PHI while maintaining your reputation. This includes business associate agreement templates, internal and external vulnerability scanning, penetration testing, mobile device security, privacy and security policies as well as HIPAA training.

Need help Regarding Compliance?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act. HIPAA Act was implemented to protect the privacy and security of healthcare sector data.