When the final pieces of the HIPAA Omnibus Rules went into effect in September, 2013, many healthcare providers were still unsure of what they meant. Almost a year later, there is still a lot of confusion about the rules, but it is clear that information technology (IT) security is an element that all healthcare providers must understand.
That is why we invested time and resources to develop our TotalCare HIPAA Compliance and Security Services to help our clients navigate the complexities involved, but first I need to give you some background to explain what that means and I’m going to have to drop some acronyms on you!
The Healthcare Insurance Portability and Accountability Act, or HIPAA as most refer to it, is a 1996 law that was enacted by Congress that not only provided flexibility in health insurance but also strengthened the security of patient information to protect patient privacy. The omnibus rules came about as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The rules are intended to make clear the expectations of the Department of Health and Human Services (HHS), the agency charged with enforcing HIPAA rules, and to clarify the responsibilities of healthcare providers, the covered entities (CE) in the HIPAA world, as well as the people who provide certain services to them, the business associates (BA). These could be law firms, outside accountants, IT companies like us, and even the company that cleans the office after hours.
In a nutshell, the HIPAA rules that require CEs to protect patient information now are the same for BAs, who must ensure that they have processes and procedures in place to protect any patient information with which they may come in contact. This also means that they share the same risk and potential for penalties if they don’t comply with the regulations.
Complying with the security requirements of the HITECH Act in particular requires that both CEs and BAs undertake periodic security assessments to ensure that they are in compliance and prepared for an audit from the HHS. The assessments are to review the following areas:
• Security policies and procedures
• Internal systems security, including vulnerability assessment
• External security practices
• Staff preparation and training
• Physical security
• Securing patient information
As you can see, HIPAA compliance is no longer just the responsibility of the healthcare providers. TotalCare is a platform to help any company that must be compliant to get compliant. For more information, contact us at 831-753-7677