If your business works directly or indirectly in the healthcare industry, you’re probably aware of HIPAA compliance regulations and the fines that come with failing to maintain compliance. Understanding all the rules and regulations around HIPAA compliance can be confusing, so we created this series to help clarify, if not simplify, some of the major pieces of this compliance puzzle. 

We are not giving legal advice—Commprise is an MSP and not qualified to do that; our goal is to get you up to speed with what HIPAA compliance is, help you understand its purpose, and better comprehend how it relates to your IT security.

What is HIPAA Compliance? 

HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted in 1996. It’s a series of regulatory standards that business associates and covered entities use to keep their Protected Health Information (PHI) secure.

In addition to securing patients against data breaches, an important aspect of HIPAA as it relates to your IT includes how your organization allows patients to access their PHI and what methods you use to provide it to them securely.  

Different organizations have to abide by different standards based on their available resources to secure their protected health information, which often makes maintaining compliance a bit confusing.

Put simply, the purpose of HIPAA is to keep people’s healthcare information private. 

HIPAA Compliance is regulated by the Department of Health and Human Services (HHS) and is enforced by the Office for Civil Rights (OCR). 

While the HHS is responsible for regulating HIPAA compliance, the OCR is in charge of enforcing compliance. 

This year, the OCR announced an update to HIPAA compliance which stated that they “will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites, and will refrain from imposing sanctions and penalties on covered entities and business associates at these drive-through, walk-up, and mobile sites.”

Other aspects of the HIPAA Rules which have been shown to be unnecessarily strict towards covered entities will be removed to create an experience that reflects more value-based healthcare. For more HIPAA updates, visit the HIPAA Journal.

What Qualifies as Protected Health Information (PHI)? 

Protected health information is a mixture of your identifying info (name, address, license, etc) and any health-related data that’s been collected by healthcare practitioners (like doctors) or healthcare facilities (like hospitals). 

PHI includes: 

To give an example, if you know that you’re diagnosed with a particular illness, that information would fall under PHI. 

To understand what kind of information you need to remove in order to declassify PHI, refer to the Safe Harbor Rule

What are the Standard HIPAA Transactions? 

There are standards for how any particular covered entity or business associate should exchange personal health information (PHI). The common types of transactions that you should be aware of are listed out below.

What are Covered Entities? 

This refers to entities within the healthcare field that have access to PHI and may use it for their work. Examples of covered entities: doctors, nurses, and insurance companies. 

This is important to understand because, if your business works with covered entities and you have PHI in your databases, your company will need to make sure it’s maintaining HIPAA compliance.

What are Business Associates?

The term “Business Associates” refers to people or vendors that work with a particular covered entity in a non-healthcare capacity. 

Even though they aren’t directly related to the healthcare field, they are equally responsible for maintaining compliance with HIPAA regulations. 

Examples of business associates: accountants, lawyers, IT personnel that work in the healthcare industry, administrators, start-ups that sell healthcare tech, etc. 

What are Business Associates Agreements (BAAs)?

BAAs are partnerships between HIPAA-covered entities and other organizations, such as IT companies and other vendors, that are formed to ensure the security of their PHI data. 

The agreements must be in writing in the form of a written contract or some other official form of a written agreement. 

What is the HITECH act? 

Signed into law in 2009, the HITECH act stands for Health Information Technology for Economic and Clinical Health Act.

This act was put together in order to incentivize more healthcare organizations to adopt health information technology, and more specifically to get them to start using electronic health records (EHR). 

Keeping Your Company’s Private Data Secure 

If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by. Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age. 

If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.

An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in between you and maintaining compliance.