The Health Insurance Portability and Accountability (HIPAA) is a comprehensive set of healthcare provisions enacted by the United States Congress and subsequently signed into law by President Bill Clinton in 1996 effectively mandating broad-based legislation regarding healthcare access, portability, renewability, along with security and privacy rules for electronic health records and related information ("protected health information" | PHI, and subset thereof known as "electronic protected health information | ePHI).
Title II of HIPAA
Within Title II of HIPAA, the main emphasis has been that of the "Privacy Rule" and the "Security Rule", two (2) critically important legislative mandates that established, for the first time, a set of national standards for the protection of certain health information (the "Privacy Rule") along with establishing a national set of security standards (the “Security Rule”) for protecting certain health information that is held or transferred in electronic form.
Being "compliant" with HIPAA is a broad statement indeed, due in large part to the depth of the HIPAA legislation itself. While Title I and Title II of HIPAA contain numerous, far-reaching provisions for many organizations in the health and benefits arena, great emphasis has been in placed on the Privacy Rule and the Security Rule regarding regulatory compliance due to their applicability to many entities.
Additionally, supporting legislation from subtitle D of The Health Information Technology for Economic and Clinical Health ACT of 2009 (HITECH) strengthens the civil and criminal enforcements of the HIPAA Privacy and Security Rules. Additionally, it must be noted that for both the Privacy Rule and Security Rule, along with the mandates within subtitle D of HITECH, organizations are identified as either a "covered entity" or a "business associate".
A "covered entity" is defined as that of:
- A health plan.
- A health care clearinghouse.
- A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter [e.g., HIPAA Administrative Simplification transaction standards].
A "business associate" is defined as that of a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Simply stated, business associate functions and activities vary widely and can include claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management and data warehousing, just to name a select few.
The technical definition of a "business associate" – expanded by the final Omnibus ruling in 2013 – can now include emerging technologies and businesses, such as data centers, Software as a Service (SaaS) entities, and managed services providers, just to name a select few. Visit the Department of Health and Human Services (www.hhs.gov) to learn more about HIPAA and helpful guidelines on protecting healthcare information.
Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.