In 1996, congress began enforcing HIPAA, or the Health Insurance Portability and Accountability Act, as a measure to protect the increasing amount of sensitive patient data collected. Between the “Privacy Rule” and “Security Rule” contained therein, a new national standard was created for the handling and storage of protected health information (PHI) like medical records, billing information, health insurance information, and other individually identifiable patient health information.
HIPAA hinges on three key requirements. All records must retain:
1. Integrity – meaning the information within medical records themselves must remain accurate.
2. Confidentiality – to ensure medical records are only viewed on an as-needed basis by professionals.
3. Availability – which makes sure medical records can be recalled at a moment’s notice with little to no downtime.
Protected health information (PHI), physical or digital, like medical records, billing information, health insurance information, or individually identifiable health information are all subject to HIPAA regulations.
More generally speaking, protected health information can be defined as anything used to identify an individual in conjunction with a healthcare service.
Physical PHI examples include x-ray or MRI images, test results, written doctor’s notes or prescriptions, or electronic patient communication and more. These and other digital health records, known as ePHI, should be hosted in a web environment that has been deemed HIPAA compliant. Other records should be physically secure and their retention clearly outlined in your company policies.
HIPAA compliance is mandated for any Covered Entities (CE) such as healthcare providers, health plans or healthcare clearinghouses and Business Associates with access to electronic protected health information (ePHI).
Penalizations and fines for HIPAA violations vary in severity depending on the type, and number of violations per calendar year. Though violations can cost health care providers up to $1.5 million in extreme cases.
If reported for or suspected of non-compliance with HIPAA regulations, the Office of Civil Rights in the U.S. Department of Health and Human Services (HHS) conducts an audit and compliance review of an entities administrative security, physical security, technical security, structural requirements, policies, procedures and documentation practices.
Still nervous or unsure about HIPAA enforcement? At CoreSpace, we help our clients meet standards and most importantly, prevent fines. Call us today with all your HIPAA enforcement questions.