Anyone who works in the healthcare or insurance industry is familiar with and must comply with HIPAA, the Health Insurance Portability and Accountability Act. The United States Congress enacted HIPAA in 1996 to create regulations that were designed to provide the ability to transfer and continue health insurance; mandate industry-wide standards for healthcare and electronic billing; reduce healthcare fraud and abuse, and require the protection and confidential handling of protected health information (PHI).
But what does that mean? In layman’s terms, it does a couple of things. First of all, it sets standards by which anyone who provides healthcare must abide by in the office and for billing. Second, it allows the consumer to transfer health insurance from one provider to another while maintaining the same confidentiality and standards as the previous provider.
Third, it prevents your doctor or healthcare provider from discussing your patient information with or around anyone that you have not given permission to know that information. It’s the reason that your pharmacist takes you aside to discuss your prescription instead of while you stand in line.
This falls under the Department of Health and Human Services as part of the HIPAA Privacy Rule. Basically, setting the standards for the protection and privacy of your health information. The other side of is the HIPAA Security Rule.
This Security Standards for the Protection of Electronic Protected Health Information sets standards and rules for that information used or transmitted by the healthcare industry technical and non-technical safeguards that they consider a “covered entity” to protect a person’s electronic protected health information (e-PHI).
The Privacy Rule applies to health plans, healthcare clearinghouses and any healthcare provider who transmits health information in electronic form for those who are covered under HIPAA as “covered entities.” The information covered includes:
- The individual’s past, present or future physical or mental health or condition.
- The provision of health care to the individual.
- The past, present, or future payment for the provision of health care to the individual.
Did you know that 41% of Americans have never seen their health information?
Since 1996, the healthcare industry has begun moving away from paper documents and files and more towards electronic versions of this information. With concerns of hackers or the security of cloud-based storage, what does the healthcare industry need to be vigilant about when it comes to not just the security of their patient’s data, but also be HIPAA compliant?
Here are a few key items to keep in mind:
- Remember to keep backups of electronic PHI offsite. This one should be a no brainer for anyone using storing data somewhere other than the office, but is extra important when it comes to patient information. Furthermore, HIPAA requires that backup copies of electronic PHI must be stored in a location other than the original location. Not to mention, the backup electronic PHI data must be encrypted to meet the recommended security standards of HIPAA.
- Backup all patient records. All entities covered by HIPAA are required to have procedures in place to be able to retrieve or make exact copies of electronic PHI.
- Understand key definitions. The HIPAA is full of terms and phrases that have specific meanings. It’s always a good idea to make sure you understand these terms and phrases and study the act thoroughly so that you remain in compliance. For example, “protected health information” refers to the use and disclosure of individuals’ health information.
- Make sure your backup provider supports HIPAA compliance. You want a backup provider that will support your HIPAA compliance by providing the appropriate physical, technical and administrative safeguards that will ensure your electronic PHI’s integrity and availability.
- Enter into a “Business Associate” agreement with your backup provider. Anyone who creates, receives or maintains PHI on behalf of the covered entity is required to an agreement known as a Business Associate Agreement. Your backup provider will be receiving and maintaining your PHI so they would be considered a “Business Associate” and therefore require a Business Associate Agreement. Make sure this is an option with your backup provider before committing.
In 2009, a supplemental act was passed called the Health Information Technology for Economic and Clerical Health (HITECH) Act, which supports the enforcement of HIPAA by raising the penalties of those healthcare organizations that fail to comply with the Privacy and Security rules. This HITECH Act was in response to the increased development, use, storage and transmittal of health information in electronic form.
As society turns to electronic devices and the cloud more and more for all things, there is an ongoing push to store records and data on the cloud and to be able to access patient data from anywhere through a wireless device. Your doctor might keep your records in a computer that sits in the office. Your eye doctor might use a tablet to enter your information or schedule an appointment. Having your information at their fingertips can save time, as long as they are being careful and maintaining their HIPAA compliance.