Understanding HIPAA isn’t as easy as it sounds. If you work in the medical or health insurance industries, I’m sure you are very familiar with the acronym HIPAA. If you don’t work in these industries however, you may have heard a little about “HIPAA” when filling out medical forms, but probably don’t know all that it entails.
While most people probably know HIPAA is related to information privacy, I wonder how many could describe how HIPAA laws apply to us as patients or how they apply to the medical community? Whose responsibility is HIPAA compliance? More importantly, should you or I be concerned with HIPAA as it relates to technology?
QUESTION 1: How do HIPAA laws apply to you or I as patients?
QUESTION 2: How do HIPAA laws apply to the medical community?
To find answers for the first two questions, I recommend going directly to the source. There is a government website specifically intended to address the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the protection it offers (See: HHS.gov)
I’m not a huge fan of Wikipedia (a conversation for another time), but it happens to be a pretty good resource on this topic, due to the external references they provide (See: Wikipedia).
You may be interested in additional information pertaining to HIPAA, like:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) offers specific protection of the privacy of individually identifiable health information, the rights granted to individuals, OCR’s enforcement activities, and how to file a complaint with HHS.gov Office for Civil Rights (OCR).
- The HHS.gov tells us the authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) was delegated to the Office for Civil Rights (OCR), on July 27, 2009.
- The HHS.gov also tells us Congress mandated improved enforcement of the Privacy Rule and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The idea is that privacy and security are naturally intertwined. They both address protected health information. So, combining the enforcement authority in one agency within the U.S. Department of Health & Human Services will facilitate needed improvements.
QUESTION 3: Whose responsibility is HIPAA compliance?
You could simply answer this question by saying EVERYONE, but it is a little more complex than that. We are after all, dealing with the medical and insurance industries.
Each medical office must first collect and provide information in accordance to HIPAA regulations. Next, the systems used to access, add or update patient information must meet HIPAA compliance. Storing, backing up and securing information is crucial, so any systems used to make this possible must also be HIPAA compliant. The last part is to make sure, methods used to transfer information from within the medical industry, or to insurance companies, must be HIPAA compliant.
The insurance industry has to meet similar requirements. Methods of receiving information from the medical industry must be HIPAA compliant. Additional information collected or provided must be in accordance to HIPAA regulations. Each of the systems used to access, add or update patient information must be HIPAA compliant. Storing, backing up and securing information is jsut as crucial to the insurance industry, so these systems must also be HIPAA compliant. Again, the last part is to make sure, methods used to transfer information from within the insurance industry, or to medical offices, must be HIPAA compliant.
This brings us to my last question…
QUESTION 4: Should you or I be concerned with HIPAA as it relates to technology?
If you or I wish to work within the medical and/or insurance industries, as technology professionals, the services and solutions we provide must be HIPAA compliant. Ultimately, as I understand it, the medical institution or insurance company is responsible for any HIPAA violation. However, if the service or solution provided resulted in any form of HIPAA violation, we as technology professionals and our companies will also be held liable!
Now for my DISCLAIMER! This article is based on my own research. I am not responsible for HIPAA compliance decisions made by you and/or your company, unless under contract to assist you and/or your company with such decisions. Contracts with Bamajr are in writing, signed by both parties and include fees payable to Bamajr!