The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has raised many questions around IT solutions that support healthcare initiatives. Although HITECH expanded the scope of HIPAA as well as set aside funds for enforcement, true understanding of enforcement and guidance action began with the most recent Omnibus Final rule. As a result, more U.S. Healthcare organizations are increasing their budgets for IT compliance-related initiatives than in previous years. Not only is the number of investigations increasing, the dollar value of the fines has jumped tremendously, exceeding millions of dollars. Some associated class action suits are asking for sums in the billions.
ViaWest - HIPAA and Technology
A Covered Entity under the HIPAA privacy rule refers to health plan groups, health care clearinghouses and health care providers that transmit health information electronically, including, doctors, dentists, chiropractors, insurers, Medicare, medical plans and billing services. These Covered Entities face the additional challenge of managing their Business Associates, revisiting agreements and ensuring privacy, security, enforcements and breach notification updates in order to meet the requirements of the Final Rule. A Business Associate (BA) under the HIPAA privacy rule refers to a person or organization that conducts business with a Covered Entity that involves the use, access or disclosure of protected health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act also specifies that an organization that provides data transmission of PHI is a BA. Examples of BAs include vendors, subcontractors and IT service providers that provide managed hosting services requiring access, use or disclosure of PHI. Business Associates are now liable for complying with HIPAA and must enter into BA agreements with Covered Entities, must follow the associated policies and procedures, implement awareness programs and have the applicable security enforcement controls to support the environment that is subject to compliance. Per the Omnibus Final Rule, the Business Associate must formally report PHI breaches to the Covered Entity, the U.S. Department of Health & Human Services (HHS) and in some cases the media, adding even more potential overhead costs and risks. Both Covered Entities and Business Associates must work collaboratively to ensure the privacy and security protection of PHI. Both entities must also appropriately safeguard PHI through the agreed administrative, physical, and technical requirements.