HITECH & HIPAA-Compliant Data Systems
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
What information is affected?
- Any identifiable information that leads to an individual’s history of their physical and mental health conditions.
- Any identifiable information that leads to the treatment or provision the individual has access to.
- Any identifiable information that leads to an individual’s payment information for said health care.
The Privacy Rule is administered by the Office for Civil Rights.
Who is affected by HIPAA?
HHS refers to the entities that must follow the HIPAA regulations “covered entities.”
Covered entities include: (Your MSP or IT consultant is on this list)
- Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
In addition, business associates of covered entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:
- Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
- Companies that help administer health plans
- People like outside lawyers, accountants, and IT specialists
- Companies that store or destroy medical records
Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Who Is Not Required to Follow These Laws
Many organizations that have health information about you do not have to follow these laws.
Examples of organizations that do not have to follow the Privacy and Security Rules include:
- Life insurers
- Workers compensation carriers
- Most schools and school districts
- Many state agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
HIPAA Partner with Technical Expertise
We maximize your ROI by providing your organization steps that help you meet your compliance objectives while testing your organization’s security controls as it relates to the HIPAA Security Rule.
Laws for the secure and private transfer of individual’s medical information.
The nearly instantaneous flow of information is a defining variable of the information age. Many leading companies have established a benchmark of implementing flexible and effective new technologies into their business plan, and just recently, many small businesses have been able to get out ahead of this trend and implement their own solutions. While it’s true some companies can use this technology better than others, in regards to healthcare information, the seamless flow of information can literally be the difference between life and death.
In August of 1996, United States President Bill Clinton, in an effort to promote secure transfer of patient information, signed into law the Health Insurance Portability and Accountability Act (HIPAA). At that time, HIPAA stated that the Secretary of Health and Human Services had to publicize official standards for the electronic exchange, privacy, and security of health-related information. It also stated that the Secretary of HHS had the responsibility of issuing regulations if the U.S. Congress didn’t enact privacy and security standards by 1999. Three years later, HHS unveiled the official rules.
- HIPAA Privacy Rule
- HIPAA Security Rule
- Electronic Transaction & Code Sets Standards
- National Identifier Requirements
- Enforcement & Penalties
Penalties for General Violations of HIPAA:
- Each violation: A $100 penalty per violation, with no more than $25,000 in one year for all violations of identical requirements.
Penalties for the Wrongful Disclosure of Individually Identifiable Health Information:
- For wrongful disclosure: $50,000 penalty, imprisonment for not more than one year, or both.
- For wrongful disclosure made under false pretenses: $100,000 penalty, imprisonment for not more than five years, or both.
- For wrongful disclosure made with the intent to sell information: $250,000 penalty, imprisonment of not more than 10 years, or both.
As well as the penalties listed above, covered entities that fail to comply with HIPAA regulations will likely be subject to a loss of credibility, which will likely result in the loss of public trust and revenue.
For more information about HIPAA or our role in your data security, call us today at 808-356-0000. We can clarify about the specifics for HIPAA compliance and present secure data transfers for your medical practice.