HIPAA compliance begins by recognizing that each person’s health information is private (a no-brainer). At the same time, your business needs to access and often share that information to provide vital health services and support. The question is, how to meet both objectives?
First, HIPAA/HITECH defined
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is federally mandated to protect health information that your company receives from clients or customers. The Health Information Technology for Economic and Clinical Health (HITECH) specifically deals with electronic protected health information (ePHI).
HIPAA/HITECH compliance covers the standards for privacy, the safeguards companies need to implement, and how companies report a breach to the U.S. Department of Health and Human Services.
Who must comply?
If you are a healthcare agency or provider you are required to be HIPAA compliant. This requirement also extends, however, to business associates of health care agencies or providers. They include:
- Services that process or reformat medical claims
- Consultants that perform utilization reviews for hospitals
- Medical transcriptionists
- Tech firms like Future Link IT that provided hosted email, IT services, or offsite backups.
Security for electronic data
HIPAA/HITECH rules for data security work to:
- Secure data integrity and confidentiality, internally and as data leaves the office
- Identify and protecting against reasonably anticipated threats
- Protect against disclosures that are not permitted but can be reasonably anticipated
- Ensure workforce compliance
- Certify that any person or company requesting information is authorized to have it
The most common cause of breaches happens outside your office. All data that leaves your company must be encrypted. This includes on laptops, in backups, and as data is transferred from office to billing company, etc. Where we see clients out of compliance is not when their system has been hacked, but rather when a 3rd party lost their laptop – with their unencrypted data on it.
There are cases, outlined by Code of Federal Regulations, where health information can be exchanged without the prior approval of the patient or client. But in those cases, all of the security rules must be in place to limit sharing to what is strictly necessary and to protect the data.
What you can and can’t do with health information
HIPAA/HITECH has many provisions and exceptions that could affect the way that you communicate with other healthcare organizations or with individuals whose information you are accessing. The following are just a few examples:
- Assuming that all the HIPAA/HITECH requirements are met, you are allowed to email protected health information (PHI) for treatment purposes.
- To verify a person’s right to access the information, you can accept a scanned image of signed documentation or an electronic signature if that is permitted by law.
- You should have multiple ways to communicate with the patient, customer, or client if you need, for example, to request information or to set up an appointment. The individual selects the method of sharing information: email, postal mail, telephone, fax, etc. But it is your responsibility to let the individual know about any security concerns you may have.
HIPAA compliance is closely linked to HITECH compliance, to keep health care information safe for electronic storage, access, and transfer.
Have questions on HIPAA compliance, for audit, implementation, planning or strategy? We can help. Our team has aided clients in addressing HIPAA since the act’s inception in 1996. Contact us to see how you can meet compliance and business goals.