Hosting protected health information can be daunting, but going through a checklist of requirements for the compliance of the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) can make the process simpler and more painless.
HIPAA compliance is structured around four rules:
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule
However, when moving forward with HIPAA compliance, the only two rules that will require immediate action are the Privacy Rule and the Security Rule. The Enforcement and Breach Notification rules both pertain more to existing HIPAA environments and will come into play as you begin to host and maintain protected health information (PHI) data.
The Privacy Rule is a guide of national standards to protect the medical records and health information of citizens. This rule sets specific requirements in place to protect and maintain the privacy of health information and control its release to authorized parties only. HIPAA Compliance starts with familiarity and awareness of the Privacy Rule. The complete text of the rule can be found at HHS.gov.
Next is the HIPAA Security Rule, this is where the bulk of time and money will be spent. It requires three categories of safeguards to protect PHI data: Administrative, Physical, and Technical. Each category calls for specific requirements.
- Administrative Safeguards are the set of policies and procedures that outline the acceptable conduct and behavior of employees interacting with PHI, and the security measures to prevent intentional or unintentional breaches of HIPAA regulations. This section calls for nine administrative safeguards.
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
- Physical Safeguards are a set of regulations focusing on the physical access to the hardware that contains PHI. The Physical Security section mandates facility access controls, workstation use, workstation security, and device and media controls.
- Technical Safeguards refer to the technology that protects the PHI and regulates access. Though certain technology is more suited to HIPAA data than others, the Security Rule does not dictate specific software solutions. A solution must have verifiable access controls, audit controls, integrity, authentication, and transmission security.
Then we have the HIPAA Enforcement Rule which simply clarifies the investigations, consequences/penalties, and course of action in the case of a breach or violation. It spells out provisions relating to compliance and the monetary penalties that can result from a violation. You can read the complete text of the rule here:
Last comes the HIPAA Breach Notification Rule that requires healthcare providers to notify their patients of a breach of PHI. In accordance with this rule, HIPAA hosting providers and/or Business Associates are required to notify the providers/clients of the breach in a timely manner, and to notify the media if the breach causes more than 500 patients to be affected.