The Health Insurance Portability and Accountability Act, known as HIPAA, is a regulatory standard that outlines the lawful disclosure and use of protected health information. HIPAA is regulated by the HHS (Department of Health and Human Services) and enforced by OCR (Office for Civil Rights).
The OCR maintains medical HIPAA compliance through routine guidance on recent issues in health care and investigating common HIPAA violations. Click on read more and learn about the recent laws and regulations in health care.
Complying with HIPAA: Understanding the privacy and security rules for healthcare practices.
Two types of organizations that should be HIPAA compliant are mentioned below.
-
Covered entities
It is described by HIPAA regulation as an organization that creates, transmits, and collects PHI electronically. Covered entities are healthcare organizations that include health insurance providers, healthcare clearing houses, and healthcare providers.
-
Business associates
It is described by HIPAA regulation as an organization that encounters PHI in a way over the work course that has been contracted to act on behalf of the covered entity. There are several examples of business associates due to the broad range of service providers that process, transmit, and handle PHI. Common examples are billing companies, third-party consultants, shredding companies, practice management companies, email hosting companies, cloud storage providers, physical storage providers, accountants, attorneys, and many more.
Elements of the compliance program
- Written Policies and standards of conduct.
- Conducting internal auditing and monitoring.
- Effective training and education.
- Performing internal monitoring and auditing.
- Developing lines of communication.
- Responding to detected offenses and taking corrective action.
HIPAA violation
-
Data breach
It occurs when an employee has an unsecured company laptop with access to medical records stolen. Certain protocols for HIPAA violation should be followed in a data breach. It outlines how business associates and covered entities must respond to an event of a breach.
-
Breaching affected less than 500 individuals.
The HIPAA breach law requires entities to collect data on every smaller breach that happened over the year and send a report to the HHS OCR in less than 60 days by the calendar year’s end. Affected individuals should notice that their data is involved in the breach within 60 days of the breach discovery.
-
Breaching affected more than 500 individuals
The HIPAA breach law requires the larger breaches to be reported to the HHS OCR within two months of the discovery. The affected individuals should be notified upon the breach discovery. Local law enforcement should be notified immediately and alert potentially affected individuals.
