Health care industry is transforming thanks to entrepreneurs and engineers who are working on enhancing both doctors’ and patients’ experience.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted to keep up with the rapidly developing health care system and to protect patient’s medical records provided to doctors, hospitals, and other health care entities.
Companies and startups in the medical field have to keep a close eye on regulations like HIPAA. Continue reading to find out more about the Act and to understand how to make your application HIPAA-compliant.
What Information is Protected by HIPAA?
Individually Identifiable Information
• Name
• Email and Phone number
• Social Security number
• Driver’s license
• Photographs
Health Information
• Medications
• Clinical notes
• Insurance
• Blood tests
• MRI scans
Who Does It Apply To?
Any organization handling Protected Health Information (PHI) is defined as a “covered entity.” These are divided into three categories:
1. Health Plans – health insurance companies, company health plans, and government programs that pay for health care.
2. Health Care Providers – doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists managing business electronically.
3. Health Care Clearinghouses—entities that process atypical health information into a standardized version.
“Business associates” are the contractors or subcontractors of covered entities that need access to PHI to provide services to a covered entity. These include:
1. Billing companies and companies processing health care claims
2. Companies helping to administer health plans
3. Lawyers, accountants, and IT specialists related to a covered entity
4. Companies that store or destroy medical records
If you are collecting or storing PHI, then you are obliged to sign a Business Associate Agreement with a covered entity. It outlines procedures for how you will protect the health records and how you should respond in an event of a breach.
HIPAA Privacy & Security Rule
The privacy and security rules were implemented to make sure a patient’s PHI is secure and not wrongfully disclosed.
The Privacy Rule dictates how, when, and under what circumstances PHI can be disclosed. This law forces covered entities and business associates to implement the Rule to control the flow of information, monitor internal networks, and take measures to prevent unauthorized disclosure of PHI.
The Security Rule was implemented to further protect the confidentiality, integrity, and availability of electronically protected health information (EPHI). The Rule requires administrative, physical, and technical safeguards to secure EPHI that is created, received, used, or maintained by covered entities and business associates.
Administrative safeguards
Cover over half of HIPAA security requirements. They define regulatory policies and procedures that must be in place to prevent, detect, contain and correct EPHI security violations.
1. Security management process
2. Assigned security responsibility
3. Workforce security
4. Information access management
5. Security Awareness and training
6. Security incident procedures
7. Contingency plan
8. Evaluation
9. Business associate contracts
Physical safeguards
Focus on protecting electronic systems from potential threats, unauthorized intrusion, and environmental hazards. It is essential for a covered entity to establish secure ways of using workstations and electronic media to ensure the protection of EPHI.
1. Facility access controls
2. Workstation use
3. Workstation security
4. Device and media controls
Technical safeguards
Cover user access to systems storing EPHI. Covered entities and business associates need to figure out risks to EPHI relative to their size and the cost to cover them.
1. Access control
2. Audit controls
3. Integrity
4. Personal or entity authentication
5. Transmission security
The Enforcement Rule
In case of a breach, the Enforcement rule defines and governs the responsibilities and requirements of covered entities and business associates and how it expects them to cooperate during the enforcement process.
The Cost of HIPAA Non-Compliance
Covered entities and business associates can both be fined and receive penalties if they do not comply with the Act. Violation of HIPAA can cost you from $100 to $50,000 per record, with a maximum penalty of $1.5 million per year for each violation.
ITIRRA’s experts are happy to help your software development team with any questions related to building a HIPAA compliant application. To find out more about how to make HIPAA compliant application or to discuss how a straightforward solution can grow your business and improve the safety of your data, contact us today or arrange a meeting with me.