The massive Health Insurance Portability and Accountability Act (HIPAA) enacted by congress in 1996 is broken out into five different titles, with Title II being the one most heavily focused on security and privacy.
Title II set, for the first time, key standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Both the HIPAA Privacy Rule and the HIPAA Security Rule are major components of Title II, which has the ultimate goal of making the sharing of sensitive health information safe and efficient.
In a bit of irony, Title II is also referred to as the Administrative Simplification provision, but as many things involving government regulation go, it’s just not that simple.
And the penalties for getting these things wrong are serious. For example, earlier this month, Memorial Hermann Health System in Houston agreed to pay a $2.4 million fine after improperly disclosing the name of a patient in a press release in 2015.
So what do smaller businesses and healthcare providers need to know about HIPAA Title II?
First, a little background on the two important rules and what they require.
The HIPAA Privacy Rule regulates the use and disclosure of certain information held by “covered entities” (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)
It establishes regulations for the use and disclosure of Personal Health Information (PHI), which is interpreted rather broadly and includes any part of an individual’s medical record or payment history. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (ePHI).
It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications.
Help with HIPAA
The many administrative, physical, and technical safeguards required to support both the HIPAA Privacy Rule and the HIPAA Security Rule are to be taken seriously – yet many are left open to interpretation.
This is an area where best practices count, and getting the right expertise can make or break your business. Building a relationship with a trusted partner will serve you well.
Providing HIPAA-compliant systems and managed services are among our specialties. While there are many managed service providers (MSPs) out there, the reality is that few have the security focus and history of ZZ Servers. It’s in our DNA.
Contact us to learn more about how ZZ Servers can help your business maintain HIPAA-compliance without breaking the bank or losing your sanity.