Anyone who works in the healthcare or insurance sector is acquainted with HIPAA, the Health Insurance Portability and Accountability Act, and is required to comply with it. HIPAA was enacted by the United States Congress in 1996 to establish regulations aimed at facilitating the transfer and continuation of health insurance, mandating industry-wide standards for healthcare and electronic billing, reducing healthcare fraud and abuse, and requiring the protection and confidential handling of protected health information (PHI).
However, what does this mean? In layman’s terms, it does several tasks. To begin, it establishes criteria for anybody who delivers healthcare to follow in the office and while billing. Second, it enables consumers to switch health insurance providers while keeping the same level of secrecy and standards as with the prior provider.
Thirdly, it prohibits your doctor or healthcare professional from sharing your patient information with or in the presence of anybody who has not been granted authorization to know such information. This is why your pharmacist meets with you privately rather than as you wait in line to discuss your prescription.
This is a function of the Department of Health and Human Services’ HIPAA Privacy Rule. Essentially, this is the process of establishing rules for the security and privacy of your health information. The HIPAA Security Rule is the polar opposite.
This Security Standards for the Protection of Electronic Protected Health Information establishes standards and guidelines for the information that is used or transmitted by the healthcare industry’s technical and non-technical safeguards to protect a person’s electronic protected health information (e-PHI).
The Privacy Rule applies to healthcare clearinghouses, health plans, and any healthcare provider who electronically transmits health information on behalf of individuals defined as “covered entities” under HIPAA. The following information is included:
- The individual’s mental health or physical or condition in the past, present, or future.
- Individualized health care.
- Payment received in the past, present, or future for the provision of health care to an individual.
- Are you aware that 41% of Americans have never viewed their health records?
Since 1996, the healthcare sector has shifted away from paper records and data in favor of electronic equivalents. With worries about hackers or the security of cloud-based storage, what does the healthcare sector need to be careful about in terms of not only securing patient data, but also being HIPAA compliant?
Several critical points to bear in mind include the following:
- Keep offsite backups of electronic PHI. This one should be self-evident for anybody keeping data outside of the office, but is especially critical when it comes to patient information. Additionally, HIPAA mandates that backup copies of electronic PHI be maintained in a different location from the original. Not to add that electronic backups of PHI must be encrypted to comply with HIPAA’s recommended security requirements.
- Create a backup of all patient records. All HIPAA-covered entities are expected to have processes in place for retrieving and creating accurate copies of electronic PHI.
- Recognize crucial definitions. The HIPAA contains several words and phrases with defined meanings. It’s always prudent to ensure that you comprehend these terms and phrases and properly study the act to ensure compliance. For instance, the term “protected health information” relates to the use and disclosure of an individual’s health records.
- Ascertain that your backup supplier adheres to HIPAA regulations. You want a backup provider who will assist you in complying with HIPAA by implementing the necessary physical, technological, and administrative protections to maintain the integrity and availability of your electronic PHI.
- Contract with your backup provider as a “Business Associate.” Anyone who generates, receives, or retains protected health information on behalf of a covered organization is required to sign a Business Associate Agreement. Because your backup provider will receive and keep your PHI, they will be deemed a “Business Associate” and will be required to sign a Business Associate Agreement. Before committing, confirm that this is an option with your backup provider.
In 2009, Congress approved the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens HIPAA enforcement by increasing the fines levied on healthcare companies that violate the Privacy and Security standards. This HITECH Act was enacted in response to the growing production, usage, storage, and transmission of electronic health information.
As society increasingly relies on electronic devices and the cloud for everything, there is a growing drive to keep records and data in the cloud and to provide remote access to patient data through a wireless device. Your physician may save your records on a computer at the office. Your eye doctor may enter your information or make an appointment using a tablet. Having your information readily available to them can save time, as long as they exercise caution and maintain HIPAA compliance.