What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of US legislation that was introduced in 1996, in order to safeguard and secure patient information and transmittal. Covered entities (CE) and Business Associates (BA) should comply with HIPAA regulations. Healthcare providers, health insurance plans and healthcare clearinghouses fall under CE whereas Business Associates can be a person or an entity that provides third party services and activities for covered entities, which involve accessing protected health information (PHI). Any information about the health status, provision of healthcare or payment of healthcare services that is created, collected or transmitted by a covered entity and linked with individually identifiable information is considered PHI under US law. HIPAA Regulatory Rules
Healthcare organizations have been embracing cloud to cut down costs and improve the quality of care. While cloud adoption
is a crucial stride for a healthcare entity, it is equally significant to adhere to HIPAA regulations. Ensuring valuable benefits for caregivers and consumers alike, HIPAA establishes standards for the secure handling of PHI.
The HIPAA regulations are categorized into several major standards or rules such as:1. Privacy rule:
Considered as one of the major pillars of HIPAA regulations, this complex rule sets the national standards for protecting the medical records and PHI of the patients and defines the authorized uses and disclosures. This rule also confers rights on individuals to access their health records and to request corrections. With this right, individuals can also obtain a record of when and how their medical records and data has been shared with others.2. Security rule:
This HIPAA rule specifies how to protect the confidentiality, integrity and availability of electronic medical records or e-PHI. Security law mainly describes the safeguards that need to be implemented by covered entities and business associates to protect e-PHI from any sort of anticipated threats or hazards. There are three levels of safeguards defined in security rule - administrative safeguards, technical safeguards and physical safeguards.
3. Enforcement rule:
- Administrative safeguards are defined as administrative actions, policies and procedures of managing the HIPAA security compliance team. It mainly consists of nine standards - Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency plan, Evaluation, Business Associate Contracts and other arrangements.
- Technical safeguards define the use of technology aspects and procedures for the secure encryption and authentication of electronic health information. It mainly consists of five standards - Access control, Audit controls, Integrity, Authentication and Transmission security.
- Physical safeguards deal with the physical measures, policies and procedures for protecting facilities and devices that store PHI within the organization facility from environmental hazards, unauthorized intrusion, theft and more. It consists of four standards - Facility Access Control, Workstation use, Device and Media controls.
As the name implies, this rule details the compliance, investigations, hearings and penalties for HIPAA violations. Any covered entity that fails to ensure the privacy and security of protected health information will be imposed with hefty fines and penalties for violating HIPAA compliance and Administrative Simplification requirements.4. Breach Notification rule:
This rule requires HIPAA covered entities and business associates to notify the individual victims, media and regulators following a breach of PHI. Whenever there is an impermissible use or disclosure that compromises the security or privacy of the PHI, then it is termed as a breach. In such instances, CE must provide notifications within 60 days following the breach discovery.