HIPAA Compliance FAQ

What Is HIPAA and HITECH?

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996, which stipulates how covered entities in the healthcare industry and their business associates must secure and deal with protected health information about their patients. Compliance with the rules set forth by HIPAA is mandatory for all healthcare providers and companies.

HITECH is closely related to HIPAA. It stands for the Health Information Technology for Economic and Clinical Health Act, which is a component of the American Recovery and Reinvestment Act of 2009. This act deals with the usage of emerging health information technology over the years.

What Is Considered Protected Health Information (PHI)?

HIPAA defines protected health information as any personally identifiable information created or received by a covered entity and its business associates about an individual’s medical history, demographic details, health care services, and/or related payments made.

As per HIPAA, PHI can be classified into 18 different data elements. These can include the patients’ names, any connected IP addresses, and other data that can be used to identify the patient. PHI may consist of the following records:

• Medical histories
• Laboratory examination results
• Health records, whether physical or electronic
• Mental health conditions
• Health insurance information
• All other information required by healthcare entities to provide appropriate services to the patient

Health information can only be classified as PHI when (1) it is handled by an entity subject to HIPAA rules and (2) it can be traced back to individual patients.

However, the exceptions can vary from case to case, making HIPAA compliance consulting very important. Physician’s Resource can help you identify and seal these gaps and vulnerabilities in the security of PHI.

What Is the Difference Between a Covered Entity and a Business Associate?

Covered entities refer to institutions that handle and transmit protected health information to other parties for administrative and/or financial purposes. As defined by HIPAA, covered entities include health plans, healthcare providers, and healthcare clearinghouses.

Other entities that handle protected health information with or for a covered entity are referred to as business associates under HIPAA. Business associates, like IT companies and law firms, may be granted access to PHI as long as they sign a Business Associate Agreement with the covered entity.

This agreement stipulates how PHI should be used and disclosed by the business associate, provided that the information is safeguarded. The BAA would be based on the regulations set forth by the HIPAA Privacy, Security, and Breach Notification Rules.

Do Dental Offices Need HIPAA Training?

Compliance with HIPAA stipulates that training must be provided to all covered entities, together with their business associates and workforce. And dental offices are no exception.

Every employee, whether regular, part-time, or on-call, must receive proper dentistry HIPAA training to uphold the privacy and security of PHI. They can also get HIPAA consulting for dentists from renowned consultants like Physician’s Resource for comprehensive compliance.

What Happens During an HIPAA Audit?

The U.S. Health and Human Services Office for Civil Rights (OCR) conducts HIPAA audits every year. Companies may be picked based on three main reasons: (1) prior non-compliance, (2) complaints, and (3) breach reports. HIPAA also requires covered entities to do internal audits at least once a year.

During an HIPAA audit, OCR personnel will begin by requesting documentation related to how you manage PHI. Particularly, they will check for the following aspects:

• Policies you created in compliance with the HIPAA Privacy, Security, and Breach Notification rules
• Documentation of security incidents, data breaches, and related complaints, together with your response
• Agreements with your business associates
• Administrative procedures for keeping PHI secure and private, including HIPAA training and access protocols
• Technical safeguards, such as cybersecurity measures, against unauthorized access to PHI
• Physical protection and control that keep your computers, data storage, and other equipment safe

OCR auditors may also visit your site to check your physical safeguards and employee training. Once the audit is done, they will summarize everything in a report and determine whether your company is still HIPAA-compliant.

What Happens With an HIPAA Violation?

Should the OCR rule that your organization has violated the HIPAA requirements, you must take satisfactory action to fix the issue. In particular, you need to willingly comply with the HIPAA rules, take corrective steps, and agree to a settlement.

If you or your business associates fail to act appropriately per standards, OCR has the authority to impose civil money penalties upon you.

In such cases, you can request a hearing to contest the penalties. An administrative law judge from the Department of Health and Human Services will evaluate the evidence and determine whether the penalties are justified.

How Do You Get HIPAA Audit Protection?

HIPAA audits can be done at random, and you can take multiple steps to ensure that your business is always audit-ready.

First, you must ensure that your policies and procedures go hand in hand with the HIPAA rules. This includes not only good documentation but also proper employee training.

Second, record any big or small incidents that occur with the PHI you manage. Document your response to mitigate and/or resolve these incidents. OCR auditors will request them while investigating.

Third, familiarize yourself with the audit process. Better yet, perform regular internal audits to ensure everything stays compliant with HIPAA. Make sure to appoint someone to represent your business during the audit.

Ultimately, the best way to get audit protection is to be HIPAA-compliant. This can be challenging due to the evolving regulations, but you can make the process easier with an expert HIPAA compliance consultant by your side.

If you need Oregon HIPAA audit protection, Physician’s Resource is here to help.

How Can Physician’s Resource Help Us Stay HIPAA-Compliant?

At Physician’s Resource, your provider of the best compliance consulting in Oregon, we aim to provide you with HIPAA compliance programs that are easy to implement and fit your business resources.

We understand how fast the HIPAA landscape evolves, and that’s why we’re here: to help you keep up with the rules and regulations for safeguarding sensitive patient information over time.

Every business is unique, so we always begin by assessing your HIPAA risks and vulnerabilities. We check every nook and cranny, from your digital security systems to workforce training, before giving you tailored HIPAA compliance plans.

Call us at 1-800-615-1729 and talk with our compliance experts today. Let’s explore the various ways we can assist you with your HIPAA needs.