If you’re looking at IT requirements for healthcare systems, a term that you will come across repeatedly is “HIPAA compliance.” This article talks about what HIPAA is, summarizes the basic HIPAA compliance rules, and briefly addresses a related act, HITECH.
- HIPAA Explained
- HIPAA Compliance Rules
- What About HITECH Compliance?
- HIPAA, HITECH, and Business Associates
The Health Insurance Portability and Accountability Act (HIPAA) was passed by both houses of US Congress and signed into law by President Bill Clinton in 1996.
The act stated that regulations would be developed to serve a dual purpose:
- Streamline healthcare administration.
- Make sure that all health records of US citizens were kept private and secure.
“The Act required Congress to enact laws implementing these goals by 1999,” said the Oregon Association of Hospitals and Health Systems (OAHHS). “When Congress failed to do so, DHHS stepped in and began promulgating regulations.”
When an IT service or healthcare organization describes itself as “HIPAA compliant,” that simply means that it is following the HIPAA compliance guidelines established within the law to safeguard the medical records (specifically the protected health information (PHI) delineated by HIPAA) of American patients.
Healthcare organizations must stay compliant because they are considered covered entities, while IT companies and others must be compliant as business associate of healthcare organizations. Covered entities include healthcare providers (doctors, hospitals), healthcare plans (insurance carriers, company health plans), and health data clearinghouses. Meanwhile, business associates include any organizations and individuals that come into contact with the data, including technology service providers (e.g., web hosting firms), accountants, and shredding companies.
Covered entities and business associates must sign business associate agreements in order to solidify their relationship – the tasks to be performed by the business associate and its responsibilities pertaining to the protected health information. It should be noted that there is an exemption for certain companies, called the mere conduit exemption, that hosting companies and other organizations often wrongly believe applies to them. The exemption is for companies that only store health data temporarily or make incidental contact with it while it is in transit, such as Internet service providers and paging businesses.
“The key difference between a conduit and Business Associate is the transient versus persistent nature of the opportunity to view the PHI,” explained attorneys Linda McReynolds and Ronald Quirk. “To qualify as a conduit, a service provider must ensure that PHI is only temporarily stored. It is irrelevant whether the service provider actually views the PHI.”
HIPAA Compliance Rules
There are three basic sections to the regulations, which are largely overseen by the Office for Civil Rights (OCR), an agency within the Department of Health and Human Services (DHHS or HHS):
- Standards for healthcare transactions
- The HIPAA Privacy Rule
- The HIPAA Security Rule.
Standards for healthcare transactions
These guidelines were essentially an effort to make transactions all fit within a uniform framework. They became enforceable on October 16, 2000. However, the rules permitted that covered entities (the providers, plans, and clearinghouses described above) had until October 16, 2002 to develop an appropriate plan of action. The true, final point at which HIPAA compliance became nonnegotiable was October 2003.
The HIPAA Privacy Rule
This rule, which is actually a broad set of guidelines, outlines the requirements of healthcare companies related to privacy, such as disclosure of health-related personally identifiable information and instructions for giving privacy notices to patients. According to OAHHS, it also detailed the manner in which organizations must “obtain consent and authorization for use of information and tell how information is generally shared and how patients can access, inspect, copy, and amend their own medical record.”
These stipulations became binding on April 2001.
Here are a few of the most important elements for providers:
- Privacy notice guidelines
- Rules related to patients opting out
- “Requirements for minimum necessary”
- Administrative safeguards
- The responsibilities of partner organizations (see HITECH information below).
The HIPAA Security Rule
This rule (again, a set of regulations) specifically states what must be done administratively and what HIPAA physical safeguards must be implemented by firms in order to maintain compliance. The objective of both the administrative and physical safeguards was to make certain that all PHI was of high integrity (ie, not lost or manipulated) and was kept away from any unauthorized parties. April 2005 was the date by which companies had to achieve compliance with this rule.
What About HITECH Compliance?
Similar federal legislation that’s of importance to healthcare organizations is the Health Information Technology for Clinical and Economic Health Act of 2009 (HITECH). “It was passed as a monetary incentive plan for hospitals to begin converting to electronic health records,” explained the American Bar Association. Although “the idea was for any hospital to be able to access all of your medical records” – with the basic goal of interoperability – privacy and security concerns have limited that fundamental objective.
HIPAA, HITECH, and Business Associates
One section of HITECH that was particularly important created the HIPAA Omnibus Rule, which became effective in September 2013. That rule made business associates directly responsible for maintaining HIPAA compliance.
You will notice on our site that HIPAA compliant solutions are a primary point of focus for Atlantic.Net. We have extensive experience related to healthcare IT systems. Also, note that we’re an American company, based in Orlando, Florida offering HIPAA Hosting Services on blazing fast Virtual Private Servers.
By Moazzam Adnan