HIPAA ComplianceStartup Law ResourcesBusiness Operations
Want to avoid HIPAA violations? Here are some tips to help you comply with HIPAA's Security Rule & Privacy Rule and evade substantial fines.3 min read
Updated July 23, 2020:
Learn More about HIPAA Compliance for Businesses
Along with protecting workers from the exclusion of preexisting conditions, HIPAA also protects patients’ paper and electronically stored medical information through the Security Rule and Privacy Rule, which were implemented by the U.S. Department of Health and Human Services.
In order to be in compliance with HIPAA, each covered entity must ensure they are abiding by the Security Rule and Privacy Rule standards.
Security Rule - Safeguards and Compliance
The Security Rule, a HIPAA provision, was included to ensure the confidentiality, integrity, and availability of electronic patient health information (EPHI). There are three types of security safeguards necessary for compliance with the Security Rule: Administrative, Technical, and Physical. For each of these three types, there are security standards set forth for implementation.
Administrative Safeguards. To comply with the Security Rule, there are certain administrative functions within a covered entity that must be in place. Some of these functions include: coming up with a written set of privacy procedures, assigning privacy officers, starting an ongoing training program for employees who will be handling EPHI, and responding to security breaches in a timely manner.
Technical Safeguards. The technical safeguards deal with the technical measures that must be implemented to protect data and access to data. These include but are not limited to: producing documentation of HIPAA practices and making them available to the government, implementing risk analysis and risk management programs, and ensuring data has not been erased in an unauthorized manner.
Physical Safeguards. Physical safeguards relate to the measures that should be taken to control physical access to EPHI. Some examples are: monitoring access to equipment containing health information, allowing only certain individuals access to software and hardware, and training any contractors and agents on their physical access limitations.
Privacy Rule Compliance
The HIPAA Privacy Rule regulates covered entities’ use and disclosure of Protected Health Information (PHI). This information broadly includes any oral or recorded information regarding the health status, health records, and payment history of an individual. In order to be HIPAA compliant, the first thing to do is assign a Privacy Officer. Some examples of things a Privacy Officer should implement the Privacy Rule are:
Keep track of the entity’s compliance with HIPAA;
Train staff on the HIPAA Privacy Rule;
Keep records of combination codes and PHI accessibility;
Maintain records and forms in a highly secure manner;
Make sure patient files are locked up;
Regulate PHI privacy by limiting access to the software;
Keep uses and disclosures of PHI to the minimum amount necessary; and
Inform and support patients of their rights
This list is not exclusive, but the idea is to protect as much patient information as possible from being disclosed.
As covered entities grow bigger and bigger, it is important to make HIPAA compliance a top priority. This will ensure protection against any violations that may occur that could cause severe professional and financial penalties.
If you have any questions about HIPAA compliance, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Menlo Ventures, and Airbnb.