Health Insurance Portability and Accountability Act (HIPAA) | Introduction and Overview

The Health Insurance Portability and Accountability Act, simply known as HIPAA to many, was signed into law in 1996 by President Bill Clinton. Since then, it’s been considered without question as the largest and most comprehensive healthcare legislation in North America, affecting millions of businesses and essentially every citizen. The law itself is incredibly voluminous, constituting a seemingly endless number of publications, drafts, edits, final rulings, and more. Even with that said, it’s important to not get lost in the abyss of HIPAA and to focus on the core themes and element of the Health Insurance Portability and Accountability Act. Of importance are the following aspects for gaining a greater understanding of HIPAA and its implications for you and your business:

HIPAA Security Rule: The HIPAA Security Rule, consisting of the three (3) well-known “Safeguards” (Administrative, Physical, and Technical Safeguards), forms the cornerstone for information security relating to the Health Insurance Portability and Accountability Act. From subpart 164.308 to 164.312, there are over 50 combined “standards” and “implementation specifications” covering all aspects on the broader subject of information security. What’s important to note about the HIPAA Security Rule is the need for healthcare specific information security policies and procedures.

HIPAA Privacy Rule: The HIPAA Privacy Rule discusses various uses and disclosures of Protected Health Information (PHI), along with numerous other general provisions. Both Covered Entities (CE) and Business Associates (BA) will need to spend considerable time understanding the merits of the Privacy Rule and implications on one’s business. A comprehensive Privacy Rule Readiness Assessment and Checklist is an excellent place to start.

HIPAA Breach Notification: Section 13402 of the HITECH Act requires that both Covered Entities (CE) and Business Associates (BA) provide various notifications following a breach of unsecured Protected Health Information (PHI). It’s therefore important to understand the various policies, procedures, and processes to have in place in the unfortunate event of a breach occurring.

Final Omnibus Ruling: Major changes came about for HIPAA with the pronouncement of the Final Omnibus Rulings in January, 2013. More specifically, the Breach Notification provisions were amended, fines and penalties increased, the definition of a “Business Associate” was defined, along with other important matters.

HITECH ACT: The Health Information Technology for Economic and Clinical Health Act, simply known as the HITECH Act to many, was officially enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, and is considered a major piece of health care legislation in many ways. Specifically, HITECH advocates the adoption of electronic health records (EHR) for creating efficiency, transparency, and overall improvements in care. And for purposes of regulatory compliance - specifically for that of HIPAA Privacy and Security, the HITECH ACT component of critical importance is Subpart D—Notification in the Case of Breach of Unsecured Protected Health Information.

Security Awareness Training: Another strict mandate for HIPAA compliance is that of security awareness training as stated in HIPAA §164.308(a)(5)(1) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). It means having comprehensive measure in place for training both new and existing employees on all critical security and HIPAA specific issues, threats, concerns, and organizational best practices for helping ensure the safety and security of Protected Health Information (PHI).

Policies and Procedures: One of the biggest mandates – and challenges – for Covered Entities (CE) and Business Associates (BA) is developing comprehensive information security and operational specific policies and procedures for HIPAA compliance. Authoring such policy material can take hundreds of hours, costing thousands of dollars, yet the easy solution is downloading the HIPAA policy toolkits.

Compliance is Essential: With the pronouncement of the Final Omnibus Ruling in January, 2013, HIPAA has now been given true regulatory compliance powers – and add in the DHS compliance audits – you quickly agree that becoming compliant with HIPAA is a must.

The Essentials of Protected Health Information (PHI): Protected Health Information (PHI) can be actually considered a subset of Personally Identifiable Information (PII). What’s important to note is that PHI can consist of many different “identifiers”, some sensitive by themselves, or within a combination of other “identifiers”. From social security numbers to dates of birth – and much more – ensuring the safety and security of PHI is paramount.

Other Essential Documentation: HIPAA compliance mandates that healthcare organizations undertake annual risk assessments, put in place numerous other policy and procedural documentation, along with ensuring a “HIPAA compliant atmosphere” is maintained at all times. It’s a new world of regulatory compliance mandates for Covered Entities (CE) and Business Associates (BA) – and all other applicable healthcare providers – so now’s the time to become fully compliant with the HIPAA. Learn more about our industry leading products and services today.

Download HIPAA Policies and Compliance Toolkits Today also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.