Does Your Company Need To Be HIPAA Compliant?
A new rule extends HIPAA compliance requirements to covered entities’ business associates, forcing them to reexamine data security and privacy. Many companies could be considered “business associates” under the new HIPAA compliance rule. These associates include technology services providers such as software vendors, IT support companies, consulting outfits, data processing, companies hosting companies, cloud service providers, as well as Law Firms, Accounting Firms, and Financial Advisors any vendor potentially comes in contact to a client’s ‘personal’ electronic data. It’s this situation where many business associates don’t realize they’re now considered one and therefore must follow the new HIPAA rules.
HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
Is divided into three categories, these are safeguards that include administrative, physical and technical controls. The standards set by these safeguards are the source of most of the confusion is how to satisfy HIPAA. These details are called HIPAA implementation specifications, and they are defined as either required or addressable.
Required HIPAA implementation specifications are straight forward where the healthcare provider must implement the rule as specified. A disaster recovery plan is an example of a required specification under the HIPAA Security Rule.
The rule requires the placement of safeguards, both physical and electronic, to ensure the secure passage, maintenance and reception of protected health information (PHI). When assessing the risks and vulnerabilities associated with PHI and electronic protected health information (ePHI), there are three questions health care organizations should ask.
- Can you identify the sources of ePHI and PHI within your organization, including all PHI that you create, receive, maintain or transmit?
- What are the external sources of PHI?
- What are the human, natural, and environmental threats to information systems that contain EPHI and PHI?
Enforced by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), the HIPAA Security Rule aims to protect patient security while still allowing the health care industry to advance technologically. The U.S. Department of Health and Human Services (HHS) established national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
Establish the organizational processes first and then employ technology to facilitate them. You can fine tune both your processes and your technology practices as you go, but be confident that your organizations are clear on who’s responsible, what needs to be protected, and how you will protect it.
Achieving HIPAA compliance is not easy. We need to be mindful of fundamental elements of compliance, while making the goals understandable to help your organization meet the challenge more effectively. We at CrafTech can help you accomplish this!