Home » Healthcare » An Introduction to HIPAA & HITECH Compliance

An Introduction to HIPAA & HITECH Compliance

If your organization handles individuals’ Protected Health Information (PHI), chances are high that compliance with HIPAA is required.  So, what’s that mean?  What’s HIPAA?  What’s HITECH?  What’s PHI? What’s compliance entail?

First, some basics:

  • HIPAA is the Health Insurance Portability and Accountability Act.  It’s an expansive statute, and only a small portion of it governs the protection of PHI and electronic PHI (ePHI).  These portions are known as the Security Rule and the Privacy Rule.  More on these Rules later.  HIPAA applies to “covered entities” (e.g., hospitals, doctors, and insurance companies) and “business associates” (companies that handle ePHI on behalf of a covered entity, like a consulting firm, accounting firm, or hospital vendors).
  • HITECH is the Health Information Technology for Economic and Clinical Health Act.  When it was passed in 2009, it augmented HIPAA’s requirements (among several other things, which will be discussed in other posts).
  • PHI is sensitive, individually identifiable information about a patient, like diagnosis data, social security numbers, name, address, treatment specifications, phone number, medical payment information, etc.  PHI includes hard copy records and data held in electronic form/ePHI.  If ePHI exists on your organization’s IT systems, HIPAA compliance flags should be raised immediately.
  • Compliance with HIPPA and HITECH rules was formally mandated in the Final HIPAA Omnibus Rule.  So now, organizations seeking to comply with HIPAA should look to the requirements of the Omnibus Rule.

Stated simply, if you are a covered entity or a business associate, you have to comply with the Omnibus Rule.  Let’s take a detailed look at the key requirements:

  • The Security Rule sets forth the framework for protecting people’s ePHI.  The rule is comprised of Administrative Safeguards, Physical Safeguards, and Technical Safeguards.  The Safeguards combine to create a set of controls that covered entities and business associates must implement to ensure ePHI is handled, stored, and maintained in a secure manner.
  • The Privacy Rule provides guidance for the use and disclosure of PHI.  It governs how, when, and under what circumstances a patient’s PHI can be provided to others.  The Privacy Rule balances the need to share patient’s medical and other information with the need to keep such data confidential and private.
  • The Breach Notification Rule states the procedures to be taken if there is a unauthorized use or disclosure of PHI.  In the event of a breach, the organization must provide notice to the individual(s) effected within 60 days of discovering the breach.  Notice must also be given to the media and to the Secretary of HHS if the breach involved more than 500 people.  A disclosure of PHI will be presumed a “breach” and thus trigger breach notification procedures unless the organization can demonstrate a low probability that the PHI was actually compromised.
  • Penalties have increased with the passage of the Omnibus Rule.  Now, organizations can be fined up to $1.5M for willful HIPAA violations.  Considering these penalties, as well as the government’s continued auditing activities, there is significant incentive to become HIPAA compliant.

The information in this post is, as the title suggests, only introductory.  Be on the lookout for subsequent posts that discuss some of the elements discuss above in greater detail. For more info on our outstanding healthcare security services, visit Lunarline.com, or give us a call.


About Joshua Merkel

Josh is Lunarline's Director of Privacy. He is a licensed attorney and holds CIPP and CIPM certifications. In addition to data privacy consulting, Josh acts as a subject matter expert supporting HIPAA compliance assessments, and leads FISMA/NIST efforts for several clients.