Ensuring compliance with federal regulations that provide flexibility of approach is difficult. HIPAA is one such Federal Law that applies to many different types of businesses in the healthcare industry. These include not only the providers of healthcare, insurance companies, and group health plans (known as Covered Entities) but their Business Associates as well. A company or person becomes a Business Associate of a Covered Entity when the Covered Entity either provides access to or gives Protected Health Information to the person or company for them to do something with the data on behalf of the Covered Entity. Protected Health Information, known as “PHI”, includes 18 identifiers and any other individually identifiable data sets regarding the past, present or future provision of health care.
Covered Entities and Business Associates must have programs in place to protect the privacy and security of the PHI they create, receive, maintain or transmit. HIPAA Compliance programs must include policies and procedures, as well as the actual implementation of the policies and procedures. HIPAA, however, is not descriptive which infuses difficulty in developing a compliance program customized to an organization’s business. Care needs to be taken when developing a HIPAA Compliance program to ensure that the level of controls initiated protects the privacy and security of the PHI. PHI can be in any format including verbal, written or electronic. If a breach of PHI occurs, specific investigation and notification requirements are required for all parties. Fines can be very large if a breach occurs and even larger if a HIPAA Compliance Program is not in place.
Compliance usually refers to conforming to a set of rules. With HIPAA, the implementation of the rules is scalable to the organization. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with the relevant laws, policies, and regulations that apply to them.1 HIPAA Compliance is not about a moment in time snapshot; rather, it is all about implementing a program to ensure protection of the data and continuing to manage and update the program over time. This may make HIPAA compliance feel elusive, but it is all about the journey.
Article by Paige Joyner:
Paige Joyner is a 20-year veteran of the healthcare industry specializing in the Privacy and Security of data. She has worked with all types of Covered Entities and Business Associates to help develop and manage their compliance programs, as well as providing services such as audit, breach response, expert witness, and interim compliance officer.
