Nearly twenty years ago, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The HIPAA Privacy and Security Rules have had a vast and lasting impact on a wide range of organizations. As such, the federal government initially allowed for a degree of
Now, the government has become more aggressive in investigating and punishing HIPAA non-compliance, potentially leaving your organization open to scrutiny and penalties. Most of the questions surrounding HIPAA compliance have been clarified, and on January 17, 2013 the Department of Health and Human Services (HHS) released the final rule implementing new changes to HIPAA.
If you did not satisfactorily address the HIPAA Privacy and Security Rules when they were first implemented, or if you simply have not reviewed your HIPAA compliance activities in several years, now is the time to conduct a thorough review.
Covered entities under HIPAA are broadly defined and include:
An employer’s health plan—not the employer—is a covered entity under HIPAA. In order to comply, employers need to designate the employees that are part of the health plan’s “workforce,” i.e., those that are responsible for any functions related to administration of the group health plan. This may include payroll, human resources, finance and IT personnel.
The Health Information Technology for Economic and Clinical Health (HITECH) Act further extended HIPAA’s Privacy and Security Rules to “business associates,” or, organizations that require personal health information (PHI) to perform a function on behalf of the group health plan. Business associates may include third party administrators, pharmacy benefits managers, or benefits consultants.
Covered entities are required to enter into a HIPAA-compliant business associate agreement with each business associate with which they do business. These contracts delineate how the business associate will use and secure PHI.
The goal of the HIPAA Privacy Rule is to maintain the confidentiality of protected health information (PHI). HIPAA defines PHI as “individually identifiable health information that is created, received, stored, or transmitted by a covered entity.”
It also describes PHI as anything that “relates to the past, present or future physical or mental health of the individual or information relating to the provision of care or payment for that care.”
The privacy rule defines the requirements for covered entities when using and disclosing PHI. In addition, it establishes certain rights that individuals have regarding their own PHI, and establishes administrative steps that covered entities must take to secure PHI.
The HIPAA Security Rule spells out what covered entities must do to safeguard PHI. More specifically, the goals are:
The Security Rule provides more detailed requirements for securing PHI that is used, stored, and transmitted electronically. In addition, it establishes five categories of safeguards that covered entities must address, including Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Documentation Requirements.
Covered entities should develop a security compliance plan that details the steps taken to address each set of safeguards.
The HITECH Act (passed in 2009 in conjunction with the federal stimulus bill) significantly changed the penalties related to HIPAA non-compliance. In addition, the Office of Civil Rights has launched an audit program to proactively enforce the HIPAA Privacy and Security Rules. The audit program resulted in fines and penalties against organizations that were found to have not taken adequate steps to protect PHI.
The Office of Civil Rights remains committed to ongoing reviews of HIPAA Privacy and Security compliance. If your organization has not reviewed or updated your HIPAA compliance activities in several years, you may be vulnerable to fines or penalties for non-compliance.
To help evaluate how your HIPAA compliance activities would fare in the event of an audit, visit the Office for Civil Rights Audit Program Protocol page.
This article is for basic informational purposes only and should not be considered a complete description of your organization’s requirements under HIPAA and HITECH. Please consult appropriate legal counsel or your HNI Relationship Manager for a complete review of your rights and responsibilities under these laws.