In a business environment where resources are limited, compliance requirements abound, and budgets are constantly struggling to meet cost containment targets, the complexity of the regulations your business is required to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all of the supporting elements of the medical profession. Of course, these efforts are for the critical actions for life saving procedures for the focal point of the medical community - the patient. However, the digital age that we have moved in to over the past 20 years, despite the convenience it offers, comes with risks. Patients have suffered the compromise of personal information, resulting in the patient population expressing considerable concerns regarding how their medical data is handled.
These concerns are not without due cause, given the sensitive business of life support that medical organizations have chosen to engage in, and the information involved with any medical procedure or activity. Those concerns are partly expressed in the Health Insurance Portability and Accountability Act (HIPAA), which compels medical business to treat the data they possess with certain protections. We will break down the predominant components of the HIPAA regulation as a basis for gaining a clear understanding of the drivers behind this law. In later postings on this topic, we will explore a strategy to align your organization to the information security requirements defined within HIPAA, HITECH, and the Omnibus rule.
The Health Insurance Portability and Accountability Act of 1996 establishes requirements for healthcare organizations with respect to ensuring security and privacy of protected healthcare information (PHI) and electronic protected healthcare information (ePHI). Broadly speaking, the overarching HIPAA principle for this type of data is that it is to remain private. Only people who have a definitive need for that data should be able to access it. Of course, it should go without saying, that the only way to provide any kind of privacy is through the effective deployment of security measures to restrict access and exposure of the data. The principles of privacy and security are irrefutably linked, as you cannot have one without the other, which gives the logic to the two more well-known rules of HIPAA that we will cover below.
There are a number of rules that are recognized within HIPAA, or what most people come to call HIPAA, which usually encompass other healthcare data regulations (e.g., HITECH and the Omnibus Final Rule). Some of the rules are more well-known than others. Due to their history as the being first established with HIPAA, the best known are probably the Privacy Rule and the Security Rule. However, that’s not where the rules stop. There have been regulation updates to HIPAA as the issues around the handling of medical data have become better understood. It can be a challenge to keep track of all of these rules:
Now that you have a base-line understanding of what HIPAA is comprised of, we can move on to another primary component of HIPAA, which is understanding the criteria for PHI and ePHI, as well as understanding if you and your organization fall under the HIPAA regulation.
NEXT UP: What is PHI or ePHI and who has to abide by HIPAA?