The "simple" version of HIPAA rules and regs runs about 140 pages and can be extremely confusing. While we may not have all the answers, we know how to find them when we need them. If you need help bringing your healthcare business into line, we are a Certified HIPAA Business Associate and can assist you in meeting required standards.
HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation's health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information (PHI). The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.
HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply "meaningful use" of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by the Department of Health and Human Services (HHS). On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “HIPAA Omnibus Rule,” a set of final regulations modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Business Associates: According to 45 CFR 160.103: The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. WebX personnel have completed HIPAA privacy training for Business Associates, and we will provide you with a BAA (Business Associate Agreement) upon request.
Penalties For Non-Compliance: Failure to comply with HIPAA requirements can result in civil and criminal penalties, as well as progressive disciplinary actions through your organization, up to and including termination. These civil and criminal penalties can apply to both covered entities and individuals. Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:
Four categories of violations that reflect increasing levels of culpability
Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation
A maximum penalty amount of $1.5 million for all violations of an identical provision
Need professional assistance in becoming HIPAA compliant? We recommend Vitech Pros.