HIPAA compliance is a daunting topic, but when broken down into smaller parts, it's much easier to understand.
In this series of posts, we'll do just that. We'll cover HIPAA basics and how Streamworks secures Protected Health Information through HIPAA-compliant processes.
First, some basics...
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. With the act in place, Americans could transfer and continue health care coverage even with job changes or loss.
The Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) enforce the HIPAA laws. HIPAA also sets standards for the protection and handling of Protected Health Information.
Protected Health Information (PHI) is any health information that can be linked to an individual. Examples of PHI are names, addresses, medical records, and even specific photos. When PHI is electronically transmitted, stored, or accessed, it's categorized as electronic PHI, or ePHI for short.
At Streamworks, meeting and exceeding these standards to protect your PHI and ePHI is what our HIPAA compliance program is all about.
Two types of organizations must be HIPAA compliant as specified in the HIPAA regulations:
Covered Entities are organizations that create, collect, store, or transmit PHI/ePHI. Examples: health insurance companies, health care providers (clinics, hospitals, etc.), and health care clearinghouses.
Business Associates are organizations that provide services to covered entities. In doing so, they encounter PHI and ePHI. Examples: cloud and physical storage providers, IT providers, print & mail providers, billing companies, shredding companies, etc.
When covered entities and business associates work together, they must have a Business Associate Agreement (BAA) executed between them. The BAA is a contract that defines the scope and handling of PHI and ePHI. It must be in place before any sharing of PHI/ePHI occurs.
Additional HIPAA "rules" have been adopted since the 1996 enactment of the original HIPAA law. These rules set new standards and help clarify existing ones.
There are four main rules to be aware of:
The HIPAA Privacy Rule applies to covered entities only. The rule gives patients' rights over their PHI/ePHi. It also requires covered entities to take reasonable steps toward information confidentiality when communicating with individuals. If you've ever had to sign paperwork at the doctor's office about their use of your PHI, you've experienced the Privacy Rule in action.
The HIPAA Security Rule applies to both covered entities and business associates alike. It defines standards for PHI/ePHI sharing, transmission, and handling through administrative, physical, and technical controls. Documentation and training are mandatory for all employees involved.
The HIPAA Breach Notification Rule defines standards to follow in a data security breach involving PHI/ePHI. Organizations must inform affected individuals and report all breaches, but there are conditions depending on the size of the breach. For example, breaches of less than 500 PHI records per incident must be reported once per year to the HHS. With more than 500 PHI records impacted, you must notify the HHS and OCR immediately and might be required to inform the media.
Finalized in 2013, the Omnibus Rule is another addendum to the existing HIPAA laws. In short, it amends the Privacy and Security rules and prohibits using PHI/ePHI for marketing purposes.
It also mandates HIPAA compliance for business associates and makes them liable for their breaches.
As a trusted Business Associate, Streamworks follows HIPAA requirements for the security and protection of client PHI and ePHI. Our third-party HIPAA compliance attestation tells us we're on the right track.
HIPAA laws and compliance can be a complex network of rules and regulations. In this article, we learned that breaking it down into bite-sized chunks makes it easier to understand and follow. In Part 2 of this series, we’ll take a deeper look into what it takes to achieve HIPAA compliance like documentation, training, and auditing.
If you're in the healthcare industry, HIPAA compliant secure mail is critical. Our 100% Verified Secure Mail allows us to detect and correct mismatches in real-time to protect the integrity of your HIPAA-compliant sensitive data. Learn more below.