What is HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The law established rules for the maintenance and security of Personal Health Information (PHI) and is enforced by the US Department of Health and Human Services (HHS). HIPAA regulations were designed to give organizations guidance on:

  • Use and disclosure of PHI
  • Access to PHI
  • Storage of PHI
  • Transmission of PHI
  • Breach Notification

HIPAA applies to all organizations that come into contact with PHI data. Those organizations are classified as either covered entities or business associates. Covered Entities are organizations that provide healthcare services including doctors and hospitals, health plans, and healthcare clearinghouses. Business Associates are persons or entities that perform activities on behalf of a Covered Entity that involves the handling of protected health information.

HIPAA standards are built on these 3 rules:

HIPAA Privacy Rule

Dictates when and how PHI can be used and disclosed. The Privacy rule establishes patient rights to control how their health data is used. It also gives patients the ability to access their health records and request errors be fixed.

HIPAA Security Rule

Sets standards to protect the integrity, confidentiality, and availability of all electronic Personal Health Information (ePHI). A collection of technical, physical, and administrative safeguards.

Breach Notification Rule

Requires that the Department of Health and Human Services be notified after a breach has been discovered.

Achieving HIPAA Compliance

To be HIPAA compliant, your organization must implement policies and procedures and meet the standards of the privacy, security, and breach notification rules.

A good first step to HIPAA compliance is conducting a risk assessment to determine your existing risk exposure and how your current controls measure up for compliance. The data from the assessment can be used to build a HIPAA roadmap.

After the risk assessment, consider performing an audit comparing your current policies, processes, and practices to the HHS Office of Civil Rights Audit Protocol.

At this point, you will be able to confidently implement policies, procedures, and technologies that are compliant with HIPAA standards.

Once you’ve reached HIPAA compliance, it is important to ensure the program remains up-to-date and accurate. Always be aware of changes in the HIPAA rules, and account for any changes within your ecosystem that could impact compliance. HIPAA requires organizations to do continuous monitoring and periodic risk assessments to ensure compliance with the requirements. 

The Risk of Noncompliance

The penalties for a HIPAA violation can range from $100-$50,000 per incident, with a maximum penalty of $1.5 million over a calendar year. The damage to your organization’s reputation caused by a data breach or HIPAA fine could impact revenue for years to come.

How we can Help

At CompliancePoint we have a team of experienced professionals from the healthcare and security industries that can help guide you through every step of the HIPAA compliance process. We can evaluate your security policies and procedures against HIPAA standards through a HIPAA assessment. We will identify any existing gaps and help you develop a plan for remediation. When your updated policies are implemented, CompliancePoint conducts a final audit review and issues a report of compliance. The report gives authorities, partners, and leadership proof of your organization’s compliance validated by a non-biased third party.

The CompliancePoint HIPAA Compliance Program assists in establishing and meeting the requirements by assessing the general and application control requirements throughout Covered Entities and their Business Associates’ various business functions.