The Health Insurance Portability and Accountability Act of 1996 is legislation passed in the US which helps in securing data privacy and security provisions for protecting medical information. President Bill Clinton signed this act into law in August 1996. HIPAA has five sections or titles.
- HIPAA Title I – it safeguards health insurance coverage for people who change or lose their jobs. It also bars insurance companies from denying medical covers to people with specific diseases or pre-existing conditions. The insurance providers are also restricted from setting lifetime coverage limits for these individuals.
- HIPAA Title II – it directs the US Department of Health and Human Services to have national standards for processing electronic healthcare transactions. This title also requires healthcare organizations to implement secure electronic to health data. Also, healthcare organizations are required to remain compliant with privacy regulations set by the Department of Health and Human Services.
- HIPAA Title III – this consists of tax-related provisions and guideline for medical care.
- HIPAA Title IV – this title delves deeper into the health insurance reform. The reforms include patients with pre-existing conditions and the ones looking for continued health coverage.
- HIPAA Title V – describes the provisions the employees who have company-owned life insurance and the treatment for the individuals who lose their US citizenship because of tax income purposes.
In IT circles, HIPAA compliance is the adherence to HIPAA Title II. Title II is also known as Administrative Simplification provisions and has the following HIPAA compliance requirements.
- National Provider Identifier Standard. Every healthcare entity, including healthcare providers, employers, individuals and health plans must have a distinctive 10-digit National Provider Identifier (NPI).
- Transactions and Code Set Standards. Healthcare organizations must follow a specific standardized mechanism for electronic data interchange (EDI). This allows the organizations to process and submit insurance claims.
- HIPAA Privacy Rule. This is also known as the Standards for Privacy of Individuality Identifiable Health Information. This rule is responsible for establishing and maintaining standards required to protect patient health information.
- HIPAA Security Rule. This comprises of the Security Standards for the Protection of Electronic Protected Health Information. The rule sets standards for the security of patient data.
- HIPAA Enforcement Rule. This rule is responsible for establishing the guidelines for investigating HIPAA compliance violations.
HHS put in place the HIPAA Omnibus rule in 2013 with the aim of implementing modifications to HIPAA. This was done by the guidelines which were set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act governs the responsibilities of the business associates of covered entities. The penalties for HIPAA compliance violations were increases by the omnibus rule to a maximum of $1.5 million in every incident.
Healthcare organizations can suffer greatly as a result of violating HIPAA regulations. The omnibus set of regulations comprises the HIPAA Breach Notification Rule. This rule requires the affected business associates and the covered entities to notify their patients in case of a data breach.
Additionally, healthcare organizations can be fined after HIPAA audits mandated by the HITECH Act are conducted by the Office for Civil Rights (OCR) and finds that they have violated the HIPAA compliance regulations. If providers violate the HIPAA privacy and security rules, they can also face criminal penalties.
HIPAA compliance training programs usually help organizations to lower the risk of regulatory action. There are six educational programs which have been developed by the OCR. These programs assist healthcare organizations to comply with the privacy and security rules. There are some training groups and consultancies which offer the compliance programs too.
Healthcare providers can also create their training programs. These programs should cover each organization’s current HIPAA privacy and security policies, mobile device management processes, HITECH Act and other applicable guidelines.
Still, there is no official HIPAA compliance certification program in place. However, some training companies offer certifications to prove that healthcare organizations understand the directives and regulations of the act.