The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Unprotected health information can be a tempting target for hackers and other data thieves as illustrated by the recent data attacks on Anthem, one of the largest health insurers in the US.
In 2003, the U.S. Department of Health and Human Services (HHS) finalized its HIPAA security rule to provide organizations with “administrative, physical and technical guidelines” to safeguard protected health information (PHI). The Privacy Rule addresses the use and disclosure of individuals’ health information by organizations subject to the Rule, called “covered entities.” Within HHS, the Office for Civil Rights (OCR) has the responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties, ranging from $100 to as much as $1.5 million. The law also allows for criminal penalties of up to 10 years in prison for HIPAA privacy violations.
With so much at stake, many large medical and health enterprises, particularly those with their own IT departments have dedicated HIPAA specialists whose primary task is to guard against any kind of HIPAA non-compliance. Some smaller businesses, especially medical practices, without a resident IT HIPAA specialist are partnering with a trusted Managed Services Provider (MSP) to ensure HIPAA compliance. HIPAA compliance requires a concentrated team effort and attention to detail.
Here are five essential best practices for HIPAA compliance:
- Perform a Protected Health Information Inventory
- Evaluate Your Security Policies
- Conduct a Risk Analysis
- Plan for Contingencies
- Have an Incident Response Policy and a Disaster Recovery Plan
Read on to learn more about how you can implement each of these compliance best practices.