The Health Insurance Portability and Accountability Act (HIPAA for short) makes sure patients’ protected health information is secure and only accessed by the appropriate people.
What is HIPAA? HIPAA has many parts to it, including individuals’ privacy rights to understand and control how their health information is used and the need for healthcare organizations to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI (electronic protected health information).
So, how has HIPAA helped the healthcare industry? It has improved efficiency, streamlined administrative healthcare functions and ensured protected health information is safe. Bringing in these standards ensures everyone is on the same page, as all HIPAA-covered healthcare organisations use the same code sets and recognized identifiers. This makes it easier when transferring information between providers and plans.
If you’re not compliant, you could be fined between $100 and $50,000 per incident.
The cost depends on the severity of negligence. You could also have criminal charges filed against you for willful neglect. And who regulates and enforces HIPAA compliance? The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).
The Enforcement Rule is the investigation that follows a breach of ePHI and covers the civil money penalties for violations, and procedures for hearings. What about the Breach Notification Rule? This requires healthcare providers, health plans and clearing houses to notify affected individuals of a breach of ePHI. It also requires any breach to be notified to the Department of Health and Human Services.
What is the Security Rule? It protects e-PHI. You need to have physical, technical and administrative safeguards in place.
Physical safeguards include limited facility access, with authorised access only, as well as policies covering the use and access to workstations and mobile devices.
The technical safeguards include using unique user IDs, emergency access procedures, automatic log off, encryption and decryption, as well as running audit reports and tracking logs to record activity. IT disaster recovery and offsite backup are crucial to ensure any electronic errors or failures are sorted quickly and the PHI is recovered accurately and un-damaged. Protection against unauthorized access to ePHI is also important and covers every method of data transmission from email, internet, a private cloud and private networks.
And finally, what are the administrative safeguards? These are pivotal to the compliance checklist. They require that a Security Officer and Privacy Officer are assigned to put the measures in place to protect ePHI, whilst also monitoring the conduct of the workforce. There then needs to be risk assessments and audits to ensure continued compliance.
The Privacy Rule makes sure national standards are upheld by setting limits on how you can use and disclose information without the patient’s authorisation.
But why is the Privacy Rule important? It sets limits on the use and disclosure of information without patient authorization.
What rights do patients have with the Privacy Rule? They can ask for a copy of their health records and request changes if they want, and you must respond within 30 days. This applies to all healthcare organizations, providers of health plans (including employers), healthcare clearinghouses and business associates of covered entities.
Why should you make sure your vendors are HIPAA compliant?
With new technologies playing a key role in general practice, you must be assured of your patients’ security as well as upholding your clinic’s reputation.
More and more doctors are using remote patient monitoring and the multiple CPT codes available to build the profitability of their clinics. Working with remote patient monitoring companies that follow HIPAA compliance is crucial for patient security and patient care.
Want to see HIPAA done well? All Qardio and QardioMD services comply with HIPAA laws and the European Union Data Protection Directive.
User data is stored both locally on the user’s device as well as in Qardio Cloud. We only record information that we strictly need to operate our products and services. Transmission of information is protected with military grade AES 256 bit encryption in server facilities that meet the highest industry standards in security, monitoring, and access.