The Health Insurance Portability and Accountability Act (HIPAA) is US legislation that protects sensitive patient data. When companies are involved in Protected Health Information (PHI) they have to follow all the physical, network, and process security measures that are dictated by HIPAA.
To be in compliance, “covered entities” (organizations providing treatment or payment), “business associates” (individuals who have access to patient information) and subcontractors must follow the training, policy and procedures as set out in the Act.
Read full article
HIPAA in short
Privacy and Security Rules
The HIPAA Privacy Rule provides national standards for health information protection, including any information that is in an electronic format.
The HIPAA Security Rule is applied to the technical and non-technical safeguards that covered entities need to enforce. The Office for Civil Rights enforces both these policy rules with voluntary compliance activities as well as monetary penalties.
The U.S. Department of Health and Human Services (HHS) has made HIPAA compliance a top priority with the advent of computerized physician order entry systems (CPOE), electronic health records (EHR) and lab, pharmacy and radiology computer and information technology systems. The Security Rule is flexible enough to accommodate innovations in new technologies, and allows covered entities to implement the policy and procedures that are relevant to the organization’s size and structure.
The HHS safeguards include both physical and technical policies, including:
- Audits and logs for both software and hardware
- Unique user IDS, encryption and emergency access procedures
- Conditions around disposing or removing electronic media
- Use of workstations and electronic media
- Facility control and access.
Personal Health Information (PHI) or electronic PHI (ePHI) must not be altered or destroyed. Covered entities must ensure they have offsite backup and disaster recovery policies and procedures in place. They must also be sure to have transmission and network security in place to avoid unauthorized access to ePHI.
A supplemental act, The Health Information Technology for Economic and Clinical Health Act (HITECH) can enforce penalties on any health organizations that violate HIPAA. It was created to help regulate and enforce HIPAA policy in the area of electronic health information technology. In 2019 the average penalty was $1.2 Million, indicating the size and severity of infractions exposed by the HHS.
Data Protection
By having a data protection strategy in place to comply with HIPAA regulations healthcare organizations:
- Have control of sensitive data
- Comply with HIPAA and HITECH regulations
- Ensure the security of PHI
Data protection should include both structured and unstructured data, including:
- Documents
- Scans
- Emails
Patients provide health information to their healthcare organizations, and trust that their PHI will be protected from any internal or external security threats.
Rillion and HIPAA
Rillion is in compliance with HIPAA because of our commitment to the policies and procedures necessary to meet HIPAA requirements as a business associate to our customers in the Healthcare sector. Rillion has done this because of the many customers we have in the healthcare space, as well as to accommodate the new healthcare customers to come.
Find our more about Rillion’s Certifications and Security Standards here