Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
Congress created the Health Insurance Portability and Accountability Act (HIPAA) and President Bill Clinton signed it into law in 1996. This act set national standards for protecting electronic healthcare transactions and information that could potentially identify an individual.
When conducting HIPAA gap analysis and risk analysis services, we often start by helping our clients understand and navigate the Security Rule. Part of this starts with a basic understanding of the terms used in the rule, as understanding them can be confusing at first:
There have been additional acts and rules published that update requirements for HIPAA compliance:
HIPAA and the Privacy Rule were written concerning PHI and, more recently, electronic protected health information (ePHI). ePHI can include information about:
HIPAA regulations not only require that this information be secured in the present, it must also be protected for 50 years after a person has deceased.
The Privacy Rule strongly dictates how organizations are to handle PHI. Generally, organizations cannot use or disclose PHI unless the Privacy Rule requires or permits it, or if an individual authorizes such use in writing. Whether PHI is disclosed because it is required or it was authorized, the organization must make a reasonable effort to disclose only the minimum necessary health information required to achieve its purpose. This is what HHS refers to as the Minimum Necessary Requirement.This also applies to whenever an organization uses or requests PHI/ePHI.
So, who is responsible for ensuring that these standards are met? The Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The tools OCR utilizes to achieve this include random compliance audits and civil money penalties. Civil money penalties may be issued to an organization that suffers a breach.
OCR’s use of civil money penalties depends on how proactive the organization is with preventing and stopping potential breaches. If an organization suffered a breach and did everything they could to prevent it and stop it shortly after it was discovered, any potential fine would likely be smaller. However, if the organization was negligent regarding prevention or response activities and became a victim of a breach, they would likely be fined significantly more.
If you are wondering where you stand in terms of HIPAA compliance, NuHarbor Security can help by performing a detailed HIPAA gap analysis or HIPAA risk analysis. If you’re not ready for that or would like help determining how HIPAA applies to your organization, we also offer general HIPAA consulting to address your unique needs.
Looking to find out more about HIPAA? NuHarbor offers two additional resources related to HIPAA, HIPAA Risk Analysis vs Gap Assessment and 10 Steps to Starting a HIPAA Gap Analysis.
Subscribe to our blog to get insights sent directly to your inbox.