The Health Insurance Portability and Accountability Act (HIPAA), enacted by the U.S Congress in 1996, set the required national standard for enhanced security and privacy of protected health information. The act also requires that all health care providers, health plans and other health care services that operate in all states of the United States of America abide by the minimum standards set by HIPAA.
The security and privacy rules covered by the HIPAA Act requires covered entities, such as hospitals and health care centers, along with business associates of covered entities, to institute policies and procedures that reasonably safeguard medical information, whether it is exchanged verbally or electronically.
This allows sensitive information about a patients' physical and mental health to remain protected in an age where electronic transfers of health data has become common. HIPAA compliance is mandatory for all agencies dealing with patients and their records.
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The Privacy Rule came into effect on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. This HIPAA compliance rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
The HIPAA Privacy Rule further requires safeguards to limit the number of people who have access to personal information. Apart from giving patients access to their own medical records, the HIPAA Privacy Rule also requires a detailed accounting of disclosures of all health information. Furthermore, notice of privacy practices about how medical information is used and disclosed must be accounted for.
The Privacy Rule also incorporates what it calls a "minimum necessary" standard regarding how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the "minimum necessary" to accomplish the intended purpose.
Safeguarding patient privacy is a vital part of HIPAA compliance.
The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. The HIPAA Security Rule took effect April 20, 2005, for larger entities, with a one year delay for health plans having annual receipts of $5 million or less.
The Security Rule has an important role to play since it was designed to be flexible, establishing a security framework for small practices as well as large institutions. Furthermore, it emphasizes that all covered entities must have a written security plan, identifying and covering three major components namely, administrative, physical and technical.
Ensuring security and preventing misuse of data is another main component of HIPAA compliance that all healthcare providers, insurance agencies and other organizations must perfect.
Since major portions of health information are kept in electronic formats, the HIPAA Act ensures that protected health information which is transmitted electronically, usually between a healthcare provider and a health benefit plan, remains protected and secure.
HIPAA violations are taken seriously and offenders may face a civil fine of up to $25,000, recently raised to a maximum of $50,000. In extreme cases, the U.S. Department of Justice (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000. Alternatively, the HHS (U.S. Department of Health and Human Services) may decide to investigate and/or try to resolve the issue informally.
HIPAA makes no distinction between a U.S. business associate and one based in a foreign country and there are no legal restrictions on outsourcing medical-related services. However, it is required that companies comply with HIPAA standards in order to work with offshore vendors.
These are some HIPAA basics that affect the work that we do for healthcare providers (hospitals, clinics and doctors) and Insurance agencies. Read how Outsource2india guarantees HIPAA compliance or Contact us with your outsourcing requirements.