|  | Healthcare Industry | General Healthcare Industry

How to Comply With HIPAA Rules

The Health Insurance Portability and Accountability Act was implemented in 1996, during the Clinton administration. HIPAA was initially created to protect individuals from loss of health insurance when changing jobs. However, the final law created seven different titles, or rules, covering various health care plan and provider issues. The most widely known parts of HIPAA cover privacy and security of patient health information. The United States Department of Health and Human Services oversees HIPAA. The DHHS does not require organizations or individuals to be certified, nor is there an official government "HIPAA certification" or approved organization to provide HIPAA certification. However, the DHHS does require that "covered entities" meet HIPAA compliance.

Things You'll Need

  • HIPAA Privacy and Security Toolkit
Show More

Instructions

    • 1

      Determine if your organization is a "covered entity." HIPAA defines "covered entities" under categories: health plans that provide coverage for medical care, health care providers that are paid or billed for health care, and health care "clearinghouses" that help facilitate information between providers and insurance companies. If your organization meets any of the "covered entity" categories, then you must follow HIPAA law.

    • 2

      Educate staff on privacy versus security. HIPAA's Title II, or "Administrative Simplification," deals partly with measures to protect security and privacy of patient health information. Privacy measures protect "individually identifiable health information" by only releasing it under specific requirements. Security measures protect electronic health information, like electronic medical records and emails, against unauthorized disclosure and breach.

    • 3

      Appoint a HIPAA officer. HIPAA requires that each covered entity appoint a "HIPAA Officer." HIPAA officers ensure that the facility is in HIPAA compliance by creating, implementing and maintaining policies and procedures, training staff, and coordinating other HIPAA compliance.

    • 4

      Review HIPAA requirements. HIPAA sets forth stringent requirements that must be met by "covered entities." To meet privacy requirements, organizations must understand when protected health information can be released and to whom. Also, organizations must put in place the release of "minimum necessary" disclosure, meaning only the least amount of information needed can be released. For security, organizations must ensure that electronic patient data is safe by such means as locks on computer rooms, password implementation, audit trails and information encryption.

    • 5

      Understand HIPAA penalties. The DHHS Office of Civil Rights is responsible for enforcing HIPAA rules and regulations. HIPAA enforcement includes both civil and criminal penalties. Although OCR intentions are not to penalize organizations who make mistakes, penalties will be assessed for deliberate noncompliance. Penalties include monetary fines and/or prison sentences, sometimes as much as $25,000 and ten years imprisonment for severe violations.

    • 6

      Decide whether you want an internal or external evaluation. Remember, the DHHS does not have official HIPAA certification, nor does it approve others as official HIPAA certification organizations. However, there are still businesses that specialize in HIPAA requirements. For a fee, these organizations will review your policies, procedures and activities to ensure that you are in HIPAA compliance. Health care organizations confident in their own understanding of HIPAA can perform internal audits.

General Healthcare Industry - Related Articles