HIPAA

Frequently Asked Questions

• What is HIPAA?

  HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law enacted in the United States in 1996 with the primary goal of protecting the privacy and security of individuals' health information. The law includes regulations that govern how healthcare providers, health plans, and other entities (like business associates) handle sensitive patient information.

  The responsibility of overseeing the implementation of the law lies with the Department of Health and Human Services (HHS), while the Office for Civil Rights (OCR) takes on the crucial role of enforcing the HIPAA law.

  When most people refer to HIPAA, they refer to the Privacy, Security, and Breach Notification Rules.

  The Privacy Rule sets forth the guidelines and limitations for handling patient information, ensuring that it is treated with utmost confidentiality and care. The Security Rule is dedicated to protecting electronic patient data (e-PHI) and implementing measures to prevent unauthorized access or breaches. Lastly, the Breach Notification Rule acts as a compass, outlining the parameters of what constitutes a privacy or security breach in relation to patient information.

• Who needs to be HIPAA compliant?

  HIPAA defines two distinct categories of organizations that need to maintain HIPAA compliance: “covered entities” and “business associates.”

  Covered entities are health organizations who collect, transmit, and store PHI. HHS identifies three categories of covered entities: healthcare providers, health plans, and health clearinghouses. 

  Business associates include any individual or organization outside of the covered entity’s workforce who even temporarily hold or process PHI as part of their work, including legal services, accountants, third-party billing and payment services, email service providers, and cloud computing services.

• What is a Security Risk Analysis?

  A Security Risk Analysis identifies and documents all potential risks to your organization’s ability to do business.

  It is one of the best ways to understand your organization's risk for threats like data loss, cyberattacks, or unintentional disclosure.

• Who enforces HIPAA?

  There are a variety of state and federal agencies that enforce HIPAA, depending on which area is being enforced.

  Two federal agencies often responsible for enforcing HIPAA regulations are the Centers for Medicare and Medicaid Services (CMS) for Administrative Requirements, while the responsibility for enforcing the Privacy, Security, and Breach Notification Rules is delegated to the Office for Civil Rights (OCR).

  Additional enforcement agencies may include the Department of Justice, State Attorneys General, and Federal Trade Commission (FTC).

  Source: The HIPAA Journal

• What is a Corrective Action Plan?

  When a review indicates an underlying culture of noncompliance the Centers for Medicare and Medicaid Services (CMS) or the Office for Civil Rights (OCR) may initiate an investigation.

  If an underlying culture of noncompliance is confirmed, CMS or OCR will impose a corrective action plan which may consist of a risk analysis, the development of new policies and procedures, and the comprehensive retraining of members of the workforce.

• What is the HIPAA "Wall of Shame"?

  The HIPAA Breach Reporting Tool, also known as the "Wall of Shame," serves as a comprehensive record of organizations that have experienced healthcare data breaches impacting over 500 individuals since the start of enforcement. This interactive database, maintained by the Office of Civil Rights (OCR), allows users to search and uncover instances of HIPAA violations, ensuring a permanent record of accountability.