With the HIPAA Security Rule getting a lot of attention this month, now seems like a great time to revisit the basics of the HIPAA rules. HIPAA (the Health Insurance Portability and Accountability Act) was passed in 1996, targeting how the healthcare industry handled confidential information. The law reaches into many areas – but for IT professionals, its most critical mandates revolve around how healthcare providers maintain and protect personally identifiable medical information. The effort made the collection of electronic medical records more secure for patients – but also forced some difficult regulations on medical providers and their IT partners.
While doctor’s offices and hospitals are obviously covered by HIPAA regulations, so too are any entities that touch patient information, such as billing services and IT vendors.
Did You Know? Annual HIPAA compliance costs involving IT issues are estimated at $8.3 billion a year.
What are the Essential Elements of the HIPAA Rules?
HIPAA is sectioned into titles, with Titles I and II being the most critical.
Title I involves portability, primarily that individuals moving from one group health insurance plan to another can’t be denied benefits based on pre-existing conditions.
Title II is more relevant to IT professionals, as it mandates that anyone who handles personal medical data must proactively maintain privacy and security.
The History of the HIPAA Rules By Year
- 1998: HHS proposed the Security Rule to enhance the protection of health-related information that’s shared amongst different healthcare providers and other entities.
- 1999:HHS proposed the Privacy Rule, which outlined the standards required to maintain the privacy of health information, defined which protected health information (PHI) is covered, and provided right to access health-related information to individuals.
- 2003: The Security rule was finalized, and the Privacy Rule was implemented.
- 2005: The Security Rule went into effect, and the Enforcement Rule was proposed by the HHS. The Enforcement Rule gave permission to the HHS to investigate complaints and issue fines for noncompliance.
- 2009: Congress passed the HITECH Act, which encouraged healthcare providers to more frequently utilize electronic health records (EHRs). Later that year, HHS rolled out the HITECH Enforcement Act Rule, which significantly increased the costs of noncompliance. The HHS also rolled out the Breach Notification Rule, which outlined disclosure notification rules for covered entities whose networks were breached.
- 2013: The HIPAA Omnibus Rule was introduced, extending the Privacy and Security Rule provisions to business associates of covered entities. These associates don’t communicate directly with patients but still have access to PHI.
- 2024: NIST rolls out the HIPAA Security Compliance Guide for Cybersecurity. Read more here.
How does HIPAA Protect Security?
In order to be compliant with the HIPAA Security Rule, “reasonable and appropriate” efforts to protect PHI must be in place. These protocols must include administrative safeguards such as risk analyses and workforce training, physical protections such as access controls, and technical procedures like cybersecurity software controls. The rule does not stipulate any hard and fast measures to be taken to achieve the overall goal but instead provides covered entities with flexibility to determine their best course of action based on their size, environment, and technical resources. However, this approach can inspire confusion and ambiguity for covered entities wondering whether their security plans realistically meet HIPAA rules standards.
The HIPAA Privacy Rule
The HIPAA Privacy Rule recognizes that, in order for the health care system to function effectively, PHI needs to be shared with several individuals and organizations. However, it also insists that patients have the right for their medical and personally-identifying information to remain private. This dilemma resulted in the creation of the Minimum Necessary Standard. Basically, any person working for a covered entity should have access to the PHI they need to do their job — but no more. This is easier ordered than implemented and can cause anxiety over compliance for covered entities.
HIPAA Compliance within the IT Sector
When HIPAA compliance is referred to in the IT industry, it is typically speaking of the technical and administrative measures required to comply with HIPAA Title II. The majority of that work involves meeting the requirements of the Security and Privacy Rules. Other requirements include that all covered entities must have a National Provider Identifier and adhere to the Transaction and Code Set Standards for electronic data interchange.
The HIPAA Rules and your IT Department
If you are looking to ensure compliance with HIPPA security rules and aren’t sure where to begin, call the experts at Alliance IT. Our team of IT experts can help you identify and remediate any compliance issues before they cause you any problems. Don’t try to work everything out on your own – trust your IT compliance with Alliance IT.
