The HIPAA Privacy Rule is the first national standard for the protection of personal health information (PHI). This standard was put in place to create consistency among the healthcare industry when it comes to protecting sensitive patient data, and applies to health plans, health care clearinghouses, and all health care providers that conduct health care transactions electronically. Covered entities under the Privacy Rule also include employers who run a group health plan for employees. This means that HIPAA is not just regulating the healthcare industry. In other words, HIPAA will also regulate the financial services industry, asset managers, or anyone who provides group health care plans. In the wake of major data breaches of healthcare entities such as Anthem, Premera, and Carefirst, it is apparent that the healthcare industry is a prime target for hackers. Keeping PHI secure should be a priority within your company and HIPAA is going to ensure this through a series of audits.

Below are the different sections of the HIPAA Privacy Rule and what you need to do to stay compliant.

Privacy Rule

The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. In addition, the rule gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. All employees must be trained on the HIPAA Privacy Rule. Employers must restrict access to protected health information to only those who perform administrative functions. They must also notify participants when a data breach has occurred.

Security Rule

According to the Department of Health & Human Services, the HIPAA Security Rule, a subset from the Privacy Rule, requires appropriate administrative, physical, and technical safeguards to ensure PHI that is stored or transferred electronically is confidential and secure at all times, regardless of faulty technology. Dealing with faulty technology is the last thing that you want to have on your mind, and to ensure that your confidential documents don’t end up in the wrong hands, looking at how this HIPAA compliant fax service can help you to send and receive files that only your eyes should see, could be greatly important. Unlike the Privacy Rule, the Security Rule deals specifically with the electronic handling of confidential information. Within this rule, those covered are required to develop and implement plans for responding to an emergency or disruption, such as a natural disaster or data breach that may damage systems or equipment. Employees must be trained on proper policies regarding the safe handling of electronic data.

Omnibus-Final Rule

While attempting to strengthen patient privacy protections, this rule has further amended the breach notification rule, which now requires that following any unauthorized use or disclosure of unencrypted PHI, a security breach notification must be issued. The only exception to this rule is if the entity can prove a low probability that the PHI was compromised, only following a risk assessment. This rule also requires that, regardless of content, any breach of data sets must be treated the same. Covered entities must notify the individuals involved, and in some cases, depending on the amount of data compromised, the media and the Department of Health & Human Services. It is likely that this rule will result in increased exposure for violations of HIPAA regulations.

HIPAA Compliance

HIPAA sets the standard for protecting sensitive patient data. Any company that deals with PHI must ensure that all the required physical, network, and process security measures are in place and followed. The US Department of Health and Human Services’ Office of Civil Rights (OCR) is responsible for the enforcement of HIPAA. The OCR conducts compliance reviews to determine if covered entities are in compliance and perform education and outreach to foster compliance with the rules’ requirements. You’ll definitely want to make sure you are HIPAA compliant as violations are pricy. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.

You don’t want your business to be “that company,” the company that suffered a major data breach or had to pay hefty fines for HIPAA noncompliance. Mitigate your risks by revising security incident management plans, updating privacy notices, and reviewing or refreshing entire HIPAA compliance. HIPAA compliance is paramount to the protection and security of your client’s PHI, so make sure you know and understand the rules.

For more information on HIPAA and what it means to be HIPAA compliant, click here to register for our free webinar – HIPPA Compliance Webinar: Not Just Regulating Healthcare that will be held this Thursday, July 28th, at 2 PM ET.