The creation of the Health Insurance Portability and Accountability Act (HIPAA) was a pivotal change in the United States healthcare industry.
It was passed by Congress in 1996 and enacted by President Bill Clinton, HIPAA was first designed to address the issue of health insurance coverage for people who were moving from job to job. Without HIPAA being in existence, individuals would have found themselves without health insurance, and potentially unable to pay for critical vital healthcare.
HIPAA later became linked with the dawn of industry-wide standards of patient data protection in the United States healthcare industry. HIPAA introduced stringent rules to ensure the safety of protected healthcare information (PHI). Hackers and others with ill intent may try to access PHI to use it for nefarious purposes such as identity theft. Fraud can have long-term and devastating effects for its victims. One of HIPAA’s primary aims is to require organisations to enhance the level of security placed on sensitive data.
If the regulatory authority discovers that an organisation is breaching HIPAA’s rules, they are authorised to levy hefty financial penalties against the group. These fines act as significant deterrents to groups who may otherwise disregard HIPAA’s Rules.
HIPAA is a thorough legislative act that considers the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Groups must carry out regular and in-depth risk assessments to assist them in achieving full compliance with HIPAA. These assessments will help them in identifying potential areas for improvement in a group, as well as highlighting areas that are very vulnerable to breaches; an organisation can establish a more robust security framework. HIPAA’s documentation does not give any specific guidance on what should be addressed in a risk assessment. However, HHS’ OCR has set a list of objectives that should be ticked off a performing the risk assessment list
Among them are:
- List all PHI that is created, received, stored and transmitted – such as PHI shared with consultants, vendors and Business Associates.
- Name the human, natural and environmental dangers to the integrity of PHI – human threats including those which can be regarding as both intentional and unintentional.
- Assess what processes are in place to protect against dangers to the integrity of PHI, and the chance of a “reasonably anticipated” breach happening.
- Determine the possible effects of a PHI breach and give each potential occurrence a risk level based on the average of the assigned chance and impact levels.
- Record the findings and put in place measures, processes and policies where necessary to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
- The HIPAA risk assessment, the reasoning behind the measures, procedures and policies then put in place, and all policy documents must be kept for at least six years.
These may be implemented taking in account the size of an organisation, what types of data they deal with, among other things.