By now, most people who work in healthcare know that physicians, dentists and other medical providers must comply with the Health Insurance Portability and Accountability Act of 1996 – usually known as HIPAA – or face stiff penalties. But not everybody realizes that many jobs outside of direct patient care also demand strict adherence.
The HIPAA Privacy Rule mandates that “covered entities” who deal with protected health information follow measures to keep data private. This information is anything that can be used to identify a patient. It may relate to their health condition (past, present or future), provision of healthcare, or payment for healthcare. Something as simple as a birthdate, name or address — as well as obviously sensitive information like Social Security numbers – is considered protected health information.
Exactly who is responsible for meeting HIPAA regulations? Anybody who meets HIPAA’s definition of a covered entity, such as health plans, healthcare providers and healthcare clearinghouses. On the surface, this sounds clear. But beyond the optometrists and chiropractors are less obvious covered entities. Nonprofit organizations, schools and government agencies which provide some healthcare services must also comply with HIPAA.
Organizations that perform both covered and non-covered functions may decide to become what is known as a “hybrid entity.” The organization designates which are the healthcare components within its operation, and which components are not. The healthcare components must then comply with HIPAA rules.
Consider a university. If a university includes an academic hospital which electronically transmits health records – and many other departments which have nothing to do with health information – the university may decide to be a hybrid entity. It can designate the hospital as its healthcare component, while departments like geography and engineering are clearly separate. The privacy rule would then apply only to the hospital and other designated components, governing health info maintained, created or received by or on behalf of these healthcare components. If the hospital were to disclose patient information to other parts of the university, it would be regulated just as if the data were being disclosed to an entity outside the university. A university research lab that also serves as a healthcare provider may or may not be included as a designated healthcare component, depending on whether or not it conducts specified electronic transactions.
Most states have gone above and beyond federal standards when it comes to HIPAA. Texas has especially strict medical privacy rules. In 2012, Texas created the Texas Medical Records Privacy Act, one of the country’s most stringent. Texas expanded the definition of “covered entity” and “business associate” to make even more organizations comply with HIPAA. For example, accounting firms, law firms, government agencies and insurance providers who come into possession of protected health information all squarely fall within the Texas definition.
A variety of Texas codes include privacy laws regarding health information, such as the Texas Occupations Code, the Texas Code of Criminal Procedure, the Texas Family Code, and many others. Everything from blood donations to hearing loss in newborns to mental impairments in offenders in correctional facilities is covered by some Texas code.
Texas also requires more extensive HIPAA training, and not just for physicians. Business associates and subcontractors who work with healthcare providers must undergo training, and may be found liable if they don’t. The Texas laws apply mostly to entities who exchange protected health information electronically.
What it Takes
What does it take to keep protected health information safe? Unfortunately, it takes a lot. The IT departments of most covered entities are overwhelmed by HIPAA rules, and many simply can’t afford the safeguards needed to comply. That’s where CoreSpace comes in. Our HIPAA-compliant data center environments provide a secure solution for covered entities. We understand HIPAA, and make sure our clients’ records comply with HIPAA’s three key requirements. All records must retain:
- Integrity – the information within medical records themselves must remain accurate.
- Confidentiality – to ensure medical records are only viewed on an as-needed basis by professionals.
- Availability – Medical records can be recalled at a moment’s notice with little to no downtime.
CoreSpace passed an audit with flying colors, proving to be Fully compliant. We operate at the top level of HIPAA’s guidelines. Our multi-tier security platform, highly trained service team and 24/7 access to your client records make us the safe and smart choice. If you want to lose your HIPAA headache, call us today. We’ll take over your HIPAA compliance load and let you get back to your core mission.