HIPAA Compliance Requirements
To be HIPAA compliant essentially means that an entity or office is cooperating with and following the laws set forth by Congress in all three waves of HIPAA legislation. The government has mandated that all “covered entities” must meet HIPAA Compliance specifications. These so-called “covered entities” include practitioners and their offices, health care clearing houses, employer sponsored health plans, health insurance, and other medical providers. Newer regulations have also expanded the people who need to comply with HIPAA to the business associates of those covered entities. However, the covered entities are primarily responsible for insuring that everyone they do business is doing their part to adhere to HIPAA compliance requirements.
HIPAA Compliance essentially boils down to one thing: safeguarding the Protected Health Information of patients and customers. Each entity should have one person appointed as the HIPAA Compliance Officer (sometimes referred to as the privacy officer). It is the Compliance Officer’s job to understand the requirements of HIPAA and ensure that necessary precautions and procedures are in place—and in practice—for an entity to remain compliant at all times.
The different additions to the law have required increasing defenses for a company to ensure compliance. With the initial legislation, passed in 1996, HIPAA compliance consisted mainly of a few changes to the physical procedures in some offices. Compliance or privacy offers were appointed by each entity to orchestrate changes to standard procedure such as adding privacy at sign-in, concealing patient names from other patients, etc. With the addition of the 2006 Security Rule, HIPAA compliance became slightly more complicated. It was now required that information to be kept in locked locations to prevent a security breach if someone were to break into the entity. For the first time the security of electronic information related to PHI was addressed and compliance required extra safeguards such as password guarded software, etc. The 2009 HITECH Act again bumped up the requirements of being HIPAA compliant by requiring entities to come up with measures and procedures to not only protect PHI but take action in the event there is a breach. This includes informing patients and other individuals who may be impacted by the security breach whether the breach occurred because of a malicious outside act or failure of employees to follow standard protocol and procedures. In an almost ironic way, the HITECH Act requires all covered entities to have HIPAA Compliance Procedures in place for when their standard HIPAA compliant procedures fail in the first place.
While the general concept of HIPAA Compliance is very simple—protecting the privacy of each individual—creating standard operating procedures that are HIPAA compliant can be rather complex and implementation of compliance procedures can vary greatly from one covered entity to the next depending on the type of business conducted at each entity.