Healthcare organizations must abide by the Health Insurance Portability and Accountability and the Health Information Technology for Economic and Clinical Health (HITECH) Act in order to remain compliant. The HIPAA act requires all healthcare providers, hospitals, health plans, and covered entities to ensure the privacy of protected health information of patients or PHI. HIPAA and HITECH are more important than ever for securing protected health information given the growing number and severity of cyber attacks and data breaches.
The Act of 1996 HIPAA “addresses the use and disclosure of individuals’ health information—called protected health information” according to the Department of Health and Human Services. HIPAA was created to ensure the privacy and ethical use of personal health information (PHI). The rule applies to all covered entities as well as criteria for as individual privacy rights to control how their own health information is used. Covered entities include “health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions.”
HIPAA regulations protect “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” This information is called protected health information or PHI. PHI includes:
De-identified data is not protected by HIPAA, and its use has no restrictions. To be categorized as de-identified data, the data cannot contain information that could be used to identify an individual.
The five entities of HIPAA include:
Title II, or Administrative Simplification provisions, is most commonly referenced regarding HIPAA compliance. This title requires that all healthcare entities have a unique 10-digit national provider identifier number or NPI. It also states that healthcare organizations need to follow the standardized mechanism for electronic data interchange when processing and submitting insurance claims. The HIPAA Privacy Rule, or Standards for Privacy of individually identifiable health information, is another part of this title which states the national standard for protecting patient health information. Standards for patient data security are also outlined by the Security Standards for the Protection of Electronic Protected Health Information. Finally, Title II has the enforcement rule which sets the guidelines for HIPAA compliance violation investigations.
HIPAA is crucial for protecting important information, so there is a steep penalty for violations. There must be a privacy official to develop and implement the policies to follow HIPPA guidelines. All employees need training for the policies and procedures related to HIPAA. The privacy of PHI should be maintained, and if it is disclosed in violation, then the covered entity should mitigate any harmful effects. Undergoing a healthcare data breach or failing to give patients access to their PHI is a violation that can result in a fine. The maximum penalty for all of the penalties is $50,000, and the annual maximum is $1.5 million for repeat violations. Intentional HIPAA violations can result in higher fees or even jail time.
The Health Information Technology for Economic and Clinical Health Act, or HITECH Act of 2009 was created to expand the scope of privacy and security protections available under HIPAA. HITECH increased the legal liability for non-compliance of HIPAA and offered more strict enforcement. The main objective of HITECH is to increase the use of electronic health records (EHR) to match the expected expansion for the exchange of electronic PHI within healthcare entities. As with all PHI, the electronic PHI needs to follow all HIPAA guidelines when being shared between doctors and hospitals. Under the HITECH Act, HIPAA violations have greater penalties for willful neglect.
To protect PHI and remain HIPAA and HITECH compliant, cyber security is crucial. However, it can be difficult to navigate all of the requirements. At Thrive Security, we utilize the top practices to reduce the possibility of a data breach. With experience in many fields including healthcare, we have the expertise to make sure you remain compliant. Our knowledgeable team assesses and achieves complete information security. Through our NIST based approach and risk analysis, our experts thoroughly understand your strengths and areas of risk. We build a personalized information security system best suited for your organization and make sure you meet stringent regulatory requirements. Visit our website or give us a call at (317) 974-0382 to learn more about our strong technological solutions and how we can help you follow HIPAA regulations.