What is HIPAA?
The Health Insurance Portability and Accountability Act, often referred to by its acronym HIPAA, is a federal law regulating the United States healthcare system. The primary purpose is to protect the privacy and security of individuals’ health and medical information, namely Protected Health Information (PHI), and give certain inherent rights to that information.
HIPAA Compliance and Regulation: A Timeline
While not much has changed in the world of HIPAA compliance since 2013, it still has a long history of multiple changes. Keeping abreast of changes is key to remaining compliant, meaning HIPAA compliance is definitely not ‘set it and forget it.’
Major changes over the years include:
1996 — HIPAA is signed into law by President Bill Clinton
This is the first establishment of federal law to protect individually identifiable information.
2003 — HIPAA Privacy Rule went into effect
The Privacy Rule established standards to protect individuals’ private health information while still enabling the flow of information for high-quality health care.
2005 — HIPAA Security Rule went into effect
The Security Rule was established in response to the speed of technology innovation. This addendum secures individuals’ private health information while allowing the adoption of technology to improve the quality and efficiency of care.
2006 — HIPAA Enforcement Rule went into effect
The Enforcement Rule was enacted to standardize legal responses to HIPAA investigations, violations, and more.
2009 — February: HITECH Act is signed into law by President Barack Obama
The HITECH Act promotes the usage of health information technology while defining privacy and security details of electronically transferred health information.
2009 — September: Breach Notification Rule went into effect
The Breach Notification Rule requires covered entities to report a breach of unsecured health information. A breach is defined as, “...an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
2013 — Final Omnibus went into effect
The Omnibus Rule modifies all previous rules to provide the HHS OCR (U.S. Department of Health and Human Services Office for Civil Rights) with more power to enforce consequences for non-compliance.
HIPAA Compliance in the Modern World
HIPAA was enacted in 1996. This landmark legislation was the first of its kind in healthcare compliance. Initially, many understood HIPAA as strictly protecting PHI. But as we advance further into healthcare innovation, ePHI is a priority. As technology advances, HIPAA compliance and adherence must keep up — something easier said than done.
“As more and more service providers turn to electronic means of keeping records, you need solutions to make sure what is away from that environment is encrypted.”
Arvind Mistry, Director of Compliance
Who Needs To Be HIPAA Compliant?
Any organization or person who works in or with the healthcare industry or has access to PHI must comply with HIPAA. Healthcare providers and business associates. Examples include:
- Physicians
- Pharmacies
- Collection agencies
- Answering services
This legislation even extends to employers who provide health care plans to employees. The bottom line is if you’re not sure, it’s best to adhere to HIPAA.
Common HIPAA Compliance Challenges
HIPAA Technical Safeguards
Having the technical controls in place to protect your data is essential. However, these technical aspects of data security are not without their challenges. Different control types include:
- Access controls
- Audit controls
- Data integrity controls
- Data transfer controls
HIPAA Physical Safeguards
While much of HIPAA compliance relates to protecting digital healthcare-related data, you also need to be concerned with the physical safeguards you have in place to protect data. HIPAA physical safeguard challenges include:
- Facility security
- Workstation security
- Device security
HIPAA Administrative Safeguards
In addition to technical challenges, you’ll also face administrative challenges in your efforts to protect sensitive e-PHI. You must have comprehensive control of the processes associated with data protection. In establishing these processes, you may face the following obstacles:
- Establishing and following processes
- Security control oversight
- Employee training
- Ongoing assessment
HIPAA Risk Assessments
One challenging aspect of HIPAA compliance that many organizations face is risk assessments. These assessments are conducted regularly to identify vulnerabilities that may exist in your security measures. Once the vulnerabilities have been pointed out, you must take action to address them. Some common challenges with this process include:
- Not enough manpower
- Not enough time
HIPAA Policies and Procedures
Along with the administrative challenges you may face in your HIPAA compliance efforts, you may also face challenges with the process and procedure documentation process. Maintaining documentation of your policies and procedures and keeping those procedures up to date with current compliance regulations can be time-consuming and tedious. Specific challenges include:
- Regular review
- Updating compliance documentation
“People changed [first]… the rules and regulations followed. It’s a backward process.”
Arvind Mistry, Director of Compliance
Key to Success for HIPAA Compliant FTP
While all of these challenges may seem overwhelming, the best way to address many of them is to adopt a secure file-sharing solution. With the right solution in place, you can trust that your expert file-sharing vendor has all the appropriate security measures to protect your data.
Learn more about maintaining HIPAA compliance for your file sharing. Download this HIPAA compliance readiness report and use it to assess your organization.
%20Logos%202022/sharetru-white-logo.svg){kind=logo}