The Health Insurance Portability and Accountability Act (HIPAA), and its revised rules – Health Information technology for Economic and Clinical Health Act (HITECH) covers any entity that has access to patient information or provide support in treatment, operations or payment in the health industry. These standards lay down security policies aimed at protecting the availability, integrity and confidentiality of personal health information. Few finer aspects of this standard that you may not be aware of are listed below:
#1. HIPAA Does not Recommend and Set Procedure
HIPAA does not specify or recommend any technology platform or design to secure the data. The onus is on the provider to use industry best practices, or face the risk of being considered as negligent. As such, a mere self-proclamation of the data centre being HIPAA compliant doesn’t actually convey anything. Clients need to dig deeper and find out how exactly the data centre is ensuring HIPAA compliance security.
#2. HIPAA Mandates Physical Controls
Apart from technical safeguards that restrict access of electronic personal health information, audit stipulations, and disaster recovery protocols, HIPPA mandates having in place physical safeguards, which encompasses restricted access to the facility, controls on removing, transferring, disposing or re-using electronic media, and more.
#3. HIPAA Mandates Training
HIPAA stipulates that all employees involved in handling personal medical information be given training in proper security practices, and be made aware of the policies, reporting needs, datat protection protocols and more.
#4. HIPAA Mandates Reporting Violations
HIPAA rules mandates that the data centers, or any service provider for that matter, to report any misuse of personal health information to the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It thus places an additional responsibility on the service provider, than merely follow the laid down protocols.
#5. HIPAA Takes Business Associates Agreements Seriously
HIPAA mandates having a thorough and comprehensive Business Associates Agreement (BAA) that documents and communicates the laid down policies. Not having such a BAA may construct as willful negligence, and make the parties liable for fines ranging from $10,000 to $50,000 per incident and potential criminal charges.