HIPAA, or the Health Insurance Portability and Accountability Act, was signed into law in 1996 to ensure portability of insurance plans and to protect the privacy of citizens’ health records. The act imposed significant requirements on healthcare service providers, insurance carriers and many of the millions of service providers and suppliers that interface with the American healthcare system, possibly including your organization.
The law refers to “covered entities,” which is anyone who provides treatment, payment and operations in the healthcare industry, as well as “business associates,” which is anyone with access to patient information and who provides support in the areas of treatment, payment and/or operations. Subcontractors or business associates must also be in compliance.
If you are providing IT services to a covered entity or are one yourself, you need to consider the following:
• Physical access control which is about limiting facility access. All covered entities must have policies about access and use of workstations and electronic media in addition to the physical space. This includes transferring, removing, disposing of and re-using electronic media.
• Technical access control requiring organizations to allow only authorized users to access electronic health data. Access control includes using unique user IDs, an emergency access procedure, strong password policies, automatic log off and encryption.
• Audit reporting must be implemented to keep running records of activity on computer hardware and software.
• IT disaster recovery and offsite backup are crucial to ensuring that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and remains intact.
• Network security is required to protect against unauthorized public access to protected electronic health information. This pertains to all methods of transmitting data including via email, the web, or even transmissions over a private company network.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed to further support the enforcement of HIPAA requirements by increasing penalties for covered entities and business associates that violate HIPAA Privacy and Security Rules. With the Omnibus Rule of 2013, the covered entities have been expanded to include more organization classifications, as well as adding additional liabilities. We will cover more of this in an upcoming blog post.
For more information about HIPAA and your business, contact Superior Technology Solutions. Visit us at www.superiortechnology.com or contact us at
Comments are closed.