If you’re looking at IT requirements for healthcare systems, a term that you will come across repeatedly is “HIPAA compliance.” This article talks about HIPAA, summarizes the basic HIPAA compliance rules, and briefly addresses a related act, HITECH.
- HIPAA Explained
- HIPAA Compliance Rules
- What About HITECH Compliance?
- HIPAA, HITECH, and Business Associates
HIPAA Explained
The Health Insurance Portability and Accountability Act (HIPAA) was passed by both houses of US Congress and signed into law by President Bill Clinton in 1996.
The act stated that regulations would be developed to serve a dual purpose:
- Streamline healthcare administration.
- Ensure that all US citizens’ health records are kept private and secure.
“The Act required Congress to enact laws implementing these goals by 1999,” said the Oregon Association of Hospitals and Health Systems (OAHHS). “When Congress failed to do so, DHHS stepped in and began promulgating regulations.”
When an IT service or healthcare organization describes itself as “HIPAA compliant,” that means that it is following the HIPAA compliance guidelines established within the law to safeguard the medical records (precisely the protected health information (PHI) delineated by HIPAA) of American patients.
Healthcare organizations must stay compliant because they are considered covered entities, while IT companies and others must be compliant as a business associate of healthcare organizations. Covered entities include healthcare providers (doctors, hospitals), healthcare plans (insurance carriers, company health plans), and health data clearinghouses. Meanwhile, business associates include organizations and individuals that contact the data, including technology service providers (e.g., web hosting firms), accountants, and shredding companies.
Covered entities and business associates must sign business associate agreements to solidify their relationship – the tasks to be performed by the business associate and its responsibilities about the protected health information. It should be noted that there is an exemption for certain companies, called the mere conduit exemption, that hosting companies and other organizations often wrongly believe applies to them. The exemption is for companies that temporarily store health data or make incidental contact with it while it is in transit, such as Internet service providers and paging businesses.
“The key difference between a conduit and a Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” explained attorneys Linda McReynolds and Ronald Quirk. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored. It is irrelevant whether the service provider actually views the PHI.”
HIPAA Compliance Rules
There are three primary sections to the regulations, which are largely overseen by the Office for Civil Rights (OCR), an agency within the Department of Health and Human Services (DHHS or HHS):
- Standards for healthcare transactions
- The HIPAA Privacy Rule
- The HIPAA Security Rule.
Standards for healthcare transactions
These guidelines were essentially an effort to make transactions fit within a uniform framework. They became enforceable on October 16, 2000. However, the rules permitted that covered entities (the providers, plans, and clearinghouses described above) had until October 16, 2002, to develop an appropriate plan of action. The actual, final point at which HIPAA compliance became nonnegotiable was October 2003.
The HIPAA Privacy Rule
This rule, which is a broad set of guidelines, outlines the requirements of healthcare companies related to privacy, such as disclosure of health-related personally identifiable information and instructions for giving privacy notices to patients. According to OAHHS, it also detailed how organizations must “obtain consent and authorization for the use of information and tell how information is generally shared and how patients can access, inspect, copy, and amend their own medical record.”
These stipulations became binding on April 2001.
Here are a few of the most critical elements for providers:
- Privacy notice guidelines
- Rules related to patients opting out
- “Requirements for minimum necessary.”
- Administrative safeguards
- The responsibilities of partner organizations (see HITECH information below).
The HIPAA Security Rule
Again, this rule (a set of regulations) specifically states what must be done administratively and what firms must implement HIPAA physical safeguards to maintain compliance. The objective of both the administrative and physical safeguards was to ensure that all PHI was of high integrity (i.e., not lost or manipulated) and was kept away from any unauthorized parties. April 2005 was when companies had to achieve compliance with this rule.
What About HITECH Compliance?
Similar federal legislation important to healthcare organizations is the Health Information Technology for Clinical and Economic Health Act of 2009 (HITECH). “It was passed as a monetary incentive plan for hospitals to begin converting to electronic health records,” explained the American Bar Association. Although “the idea was for any hospital to be able to access all of your medical records” – with the basic goal of interoperability – privacy and security concerns have limited that fundamental objective.
HIPAA, HITECH, and Business Associates
One section of HITECH that was particularly important created the HIPAA Omnibus Rule, which became effective in September 2013. That rule made business associates directly responsible for maintaining HIPAA compliance.
You will notice on our site that HIPAA-compliant solutions are a primary point of focus for Atlantic.Net. We have extensive experience related to healthcare IT systems. Also, note that we’re an American company based in Orlando, Florida, offering HIPAA Hosting Services and blazing fast VPS hosting.
By Moazzam Adnan