HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal law enacted in 1996 as an attempt at incremental health care reform and experts consider it to be the most significant health care legislation since Medicare in 1965.
HIPAA’s intent is to reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving privacy and security of patient’s information.
There are two separate and distinct laws that fall under the HIPAA umbrella: HIPAA Privacy and HIPAA Security. HIPAA Privacy relates to the protection and privacy of individuals’ protected health information (PHI) while HIPAA security relates to the protection and privacy of individuals’ protected health information in electronic form (ePHI). HIPAA Privacy is what most of us think about when we hear the term HIPAA ( HIPAA Awareness Training, Notice of Privacy Practices, Authorization forms, etc )whereas HIPAA Security tends to be more the focus of an organization’s IT department because it deals with encryption, electronic security, disaster recovery, etc.
Do you have to worry about HIPAA? There are two main classifications under HIPAA: Covered Entities and Business Associates. Covered Entities are those types of organizations/individuals that deal directly with protected health information and consist of healthcare providers, health insurance providers, and employer sponsored group health plans. Anyone outside of those categories is considered a business associate. Business associates include medical billing companies, medical storage, marketing organizations, software companies, medical device manufacturers, etc.
While the DHHS (Department of Health and Human Services) regulates covered entities, business associates are regulated by the covered entities they work with through a business associate agreement (alternatively called business associate contract).
HIPAA compliance involves two main components: one being HIPAA training of employees and the other implementing processes, procedures, and forms related to HIPAA.
While a lot of regulations in HIPAA may seem like common sense, think of them as just providing some level of standardization so an individual and the organizations involved in their care can know what to expect of each other.
HIPAA compliance does not have to be a complicated process and once setup, can be relatively little effort to maintain.