Since the advent of The Health Insurance Portability and Accountability Act (HIPAA) in 1996, healthcare providers of all kinds have worked to adhere to federal standards for protecting their patients’ rights and confidentiality as it relates to their health information.

Specifically, HIPAA mandates that providers ensure the privacy and security of health information, as well as adherence to standards for electronic data interchange of their patients’ personal health information (PHI).

While many view HIPAA as a single federal law, broadly speaking, it is made up of several pieces of regulations that were created over the years. Here is a timeline of the development of HIPAA as we now know it.

HIPAA – The Health Information Portability and Accountability Act

  • 1996:  HIPAA is born
    • Broad scope of changes to federal law, including privacy and security requirements related to the protection of patient data
  • 2003:  Privacy Rule Effective Date
  • 2005:  Security Rule Effective Date
  • 2009:  HITECH (Health Information Technology for Economic and Clinical Health) Act Effective Date
    • Introduced changes to HIPAA by creating the “interim final rule”
    • Most of the changes were later adopted as part of the HIPAA Omnibus Final Rule
  • 2013:  Omnibus Final Rule Effective Date
    • Includes updates to the Privacy & Security Rules
    • Finalized the Breach notification and Enforcement Rules

Today:  HIPAA applies to Covered Entities and Business Associates

  • Security Rule – directly
  • Privacy Rule – primarily through contractual arrangements (BAAs) with Covered Entities

HIPAA Compliance Enforcement & Breaches

As a provider of healthcare, you are considered a covered entity and therefore responsible for complying with full HIPAA regulations. A major part of this endeavor is ensuring that your patients’ health information is secure within your practice’s system. In today’s age of digitalized healthcare, data security is paramount and absolutely essential. Protecting yourself from breaches may not have been a concern for the private practice of 20 years ago, but now that we rely on electronic information for everything from billing to scheduling to claims, there is now a clear need to protect your patients and by extension, yourself.

Breaches come in all shapes and sizes

Security by obscurity is not security, and the hackers know this. If you think “they” are only going after big hospitals and insurance companies, you are mistaken. Small practices are a prime target because many times they lack the technical resources needed to appropriately secure their environment. Going back to the hhs.gov site, you can see a list of HIPAA activity as it relates to breaches and subsequent mandated remediation.

Why is PHI valuable

The battle for your patient’s data will continue in 2017 and beyond. PHI is extremely valuable on the black market, fetching up to several hundred dollars per record. Why is it so valuable you ask? Well, it has lasting value as compared to credit card information. Credit card information has a short lifespan once it is stolen since it’s so quickly canceled either by the victim or the card issuer.

Patient information, on the other hand, is harder to recover from, due to many factors concerning the serious nature of the stolen knowledge. A breach of PHI contains a goldmine of useable information for nefarious purposes – identity theft, social security numbers, driver’s licenses, medical fraud, and even blackmail.

Protect your data! 

HIPAA regulations can appear to be incredibly daunting so what do you need to focus on? Fortunately, the answer is simple – your data! But how do you do this? Well, you can tackle the HIPAA regulations quite easily – either on your own or with the help of a proven and trustworthy security solutions provider who can do the heavy lifting for you. If you do tackle it on your own, I recommend taking it one step at a time; afterall, we don’t want to see you on the list of HIPAA breaches next year.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *