HIPAA Compliance Overview and 3-Step Checklist
HIPAA is a term most of us are familiar with, but may have questions regarding what it entails, whether or not your business needs to be compliant, and how to ensure that you meet compliance requirements. To help, below our team provides a brief overview of what HIPAA is and a quick 3-step checklist that includes details on how to be HIPAA-compliant. Let’s get started.
What is HIPAA?
HIPAA, which is the The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a requirement imposed by the U.S. Department of Health and Human Services that has a goal to “help protect American workers and their families with continued health insurance coverage and establish industry-wide guidelines that protect the confidential use of personal healthcare information” (Forbes).
Does My Business Need to be HIPAA-Compliant?
If your business is classified under HIPAA as a “covered entity”—meaning that you manage private health information (i.e. health care providers, health plan organizations, etc.)—then you are required to be HIPAA-complaint. Check out the following page from HHS.gov that has more information on organizations that are considered covered entities.
If you are a covered entity, the following is a brief checklist to help get you started on meeting HIPAA compliance requirements.
Step 1: Get Organized
Part of HIPAA includes a rule called “Transaction and Code Sets”—which has the intent to ensure that all covered entities have a standardized way of communicating about all things related to healthcare. What’s the best way to meet this requirement? One suggestion is to select a compliant electronic health record (EHR), which is a digital version of a patient’s paper chart and are “real-time, patient-centered records that make information available instantly and securely to authorized users” (HealthIT.gov).
Another way to make sure you meet compliance regulations, is to get the required 10-digital National Provider Identifier (NPI), which helps covered entities identify themselves in a standardized way. If you don’t have a NPI or are unsure, visit the National Plan & Provider Enumeration System website.
Step 2: Secure and Protect
At its core, the primary goal of HIPAA is patient privacy, making this step essential. At a high level, covered entities are obligated to follow HIPAA’s “Privacy Rule” (which is further explained here) and address “the use and disclosure of individuals’ health information—called “protected health information” (HHS.gov).
Given how important this step is, it’s advised that organizations who are a considered a covered entity spend extra time adhering to this requirement. From understanding things your organization must and may do under the Privacy Rule to keeping “record of all uses and disclosures of protected health information”—there are various steps needed to fulfill this requirement, which must be followed in order to be considered HIPAA-compliant (Spruce Health).
In addition to protecting patient’s health information via the “Privacy Rule”—HIPAA also has something called a “Security Rule” which applies only to the protected health information (PHI) that your organization “receives, maintains or transmits in electronic form. To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis” that assesses PHI electronic risk and security measures that are in place, as well as safeguards to address any gaps in electronic security (Spruce Health).
Step 3: Be Prepared…For Anything
From potential (and unforeseen) HIPAA violations to intruder breaches, it’s important that your organization follows steps 1 & 2, to help avoid and prepare for any scenario.
For example, if your organization is found in violation of HIPAA compliance (either intentional or unintentional), as imposed by the HIPAA Enforcement Rule, you could face a hefty financial penalty. According to HIPAA Journal, fines can range from $100 to $50,000 per violation (with a maximum yearly fee of $1,500,000).
In addition to potential violations, information breaches and how to handle them if victimized is an important component of HIPAA compliance. Based on the HIPAA Breach Notification Rule, organizations must “provide notification after breaches of PHI. A “breach is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule” (Spruce Health).
To help protect your organization from potential breaches and other security threats, it’s advised that you work with an IT partner, like Big Sur Technologies, to protect important data and files.
For any questions you have on protecting your organization and adhering to compliance requirements, contact our team today. We’d be happy to help answer any questions you have.