What is success if you don’t have your health? August’s National Wellness Month is an excellent reminder that no matter what your business is striving to achieve, a hearty dose of self-care is the only way to feel truly powerful and fulfilled. Inspired by this month-long dedication to personal health we’re focusing in on helping businesses achieve peace of mind about how to adequately protect sensitive health information by becoming HIPAA compliant.
What Is HIPAA?
Enacted in 1996, the Health Insurance Portability and Accountability Act established national standards for the protection, lawful use, and disclosure of Protected Health Information (PHI).
Who Needs To Comply?
HIPAA applies to two specific types of businesses: Covered Entities and Business Associates.
To avoid significant civil penalties, any business that has even remote access to PHI will need to be HIPAA compliant. Even if you’ve signed a Business Associate Agreement (BAA) for a HIPAA compliant Covered Entity, you will not avoid the penalties associated with non-compliance due to the HIPAA Omnibus Rule of 2013.
The Main Rules Of Compliance
Many regulations must be studied and dissected to comply with HIPAA, but there are four main rules you’ll want to focus on to get the ball rolling:
The HIPAA Privacy Rule: This rule sets standards for patient’s rights to PHI. It includes the patent’s rights in attempting to access PHI, the rights of businesses to deny access, and the contents that must be included in Use and Disclosure Forms or Notices of Privacy Practices.
The HIPAA Security Rule: This rule establishes the standards for the physical, technical, and administrative safeguards that must be implemented to protect PHI. It specifies the need for authorized facility access and control, policies surrounding use and access to workstations and electronic media, restrictions for transferring or disposing of PHI, and the need for proper encryption and decryption.
The HIPAA Breach Notification Rule: This rule outlines the procedures that entities must follow in the event of a breach. It specifies the two types of breaches, Minor or Meaningful Breaches and how to properly report them.
The HIPAA Omnibus Rule: This addendum establishes that Business Associates and subcontractors must be HIPAA compliant and outlines rules surrounding the contracts between Covered Entities and Business Associates known as Business Associate Agreements (BAA).
Organizing Your Business For Compliance
Organizing the implementation of all these requirements may seem daunting, but luckily, the HHS has provided guidance by summarizing these into a general checklist called “The Seven Elements of an Effective Compliance Program.” They are as follows:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and taking corrective action.
As the above checklist makes clear, the road to HIPAA compliance is a continual process primarily involving a pattern of rigorous documentation that not only ensures that the proper precautions are taken but that you can prove you’ve taken them. Essentially, you’ll need to satisfy the Security Rule, create policies that address its elements, develop a training program, and document your compliance as you go.
The complex nature of HIPAA rules and the intense procedural demands are why having an expert Managed Service Provider (MSP) to guide you through the process isn’t a luxury, it’s a necessity. At AdRem Systems, we build customized plans so you feel strong and secure while handling PHI. Contact us ASAP to get a better sense of how we can help.