Health Insurance Portability and Accountability Act (HIPAA) was enacted into legislation in 1996, with the initial goal of assisting more Americans in obtaining health insurance coverage.
The act also allowed the Department of Health and Human Services (HHS) to establish guidelines for the protection of sensitive health information.
HIPAA is applicable to all parties that work with any form of U.S. healthcare information.
The primary HIPAA components are:
- Privacy and security rule
- Breach notification rule
HIPAA Privacy and Security Rule
HIPAA Privacy Rule enforces full transparency on where the data is being stored, who can view patient data, and the reason behind the data disclosure and use.
HIPAA Security Rule provides safeguards to ensure effective security measures are in place to protect the systems and processes that handle customer sensitive information.
The security rule is further broken down into:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
1. Administrative SafeguardsAdministrative safeguards cover all the operational security requirements and any gaps that could cause data leakage.
Under HIPAA administrative safeguards, employees are required to get regular HIPAA awareness training. This guarantees that every employee handling healthcare data, whether directly or indirectly, is aware of HIPAA and its penalties.
Maintaining a Business Associate Agreement (BAA) between two parties sharing Protected Health Information (PHI) is another crucial HIPAA obligation.
A BAA is a legal pact between two parties who exchange PHI, under which the third party must declare that they are HIPAA compliant before receiving any sensitive data.
Learn more about the requirements for administrative safeguards here.
2. Technical SafeguardsTechnical safeguards focus on providing a minimum level of security for the systems that transmit, store or use patient data.
Implementing appropriate log monitoring procedures is one of the many essential technical security requirements of HIPAA that helps understand the nature of a security incident.
Learn more about the requirements for technical safeguards here.
3. Physical SafeguardsPhysical safeguards provide baseline requirements for physical security measures, policies, and procedures.
For HIPAA compliance, having a password or an encryption option on the device is not considered sufficient. HIPAA requires strategies to be in place for protection against theft, loss, or unauthorized access to a device.
Learn more about the requirements for physical safeguards here.
Breach Notification Rule
In addition, HHS has also published a Breach Notification Rule. This rule ensures full transparency of a PHI breach to all affected parties. The guideline includes information about breach detection and notification.
How to comply with HIPAA?
Unlike other information security standards HIPAA does not require a certification or an external audit. It needs to be self-evaluated, but all organizations that declare themselves HIPAA compliant must keep formal documentations that prove their compliance.
Medical transcription also comes under the legislation of HIPAA. Before hiring an individual or a company to do medical transcription, ensure they are HIPAA compliant.
Need HIPAA compliant transcription, Talk to Sales →