The Health Insurance Portability and Accountability Act (HIPAA) is a federal law from 1996 that requires most healthcare organizations to ensure the privacy and security of most of their patients’ information.
The three different types of healthcare organizations that HIPAA applies to are: healthcare providers (including hospitals and physicians offices), health plans (including health insurance companies), and health care clearinghouses (including billing services).
It also applies to any person or organization that these three types of healthcare organizations share their patients’ data with—so-called “Business Associates”—including IT hosting companies like IronOrbit.
The law requires these organizations to ensure the privacy and security of any “individually identifiable health information,” which the Department of Health and Human Services (HHS) defines as “information that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
HIPAA requires healthcare organizations to protect this data by doing the following:
- Implementing “reasonable and appropriate administrative, technical, and physical safeguards to prevent the intentional or unintentional use of disclosure” of this data
- Implementing “technical policies and procedures that allow only authorized persons to access electronic” individually identifiable health information
- Implementing measures to prevent unauthorized physical access to any IT hardware that contains or handles any individually identifiable health information
- Keeping this data from being “improperly altered or destroyed”
- Protecting this data from being inappropriately accessed when it’s being transferred via a network
- Setting up an auditing system that logs activity on systems that contain this data
In addition to ensuring the privacy and security of patients’ information, HIPAA also requires healthcare organizations to do the following:
- Perform risk analyses on a regular basis in which they consider all potential risks to patient data and implement or change their security policies, procedures, and measures to protect their data from these risks
- Designate a privacy and security official that’s formally in charge of “developing and implementing” the organizations’ privacy and security policies and procedures
- Develop, implement, and maintain privacy and security policies and procedures, and maintain records of these privacy and security policies and procedures for at least six years “after the later of the date of their creation or last effective date”
- Train their employees to follow these privacy and security policies and procedures
- Sign “Business Associate Contracts” with anyone outside of their own organization they allow to access their patients’ information
- Notify affected patients, the HHS, and “prominent” media outlets within 60 days whenever a security breach occurs
Penalties for noncompliance with HIPAA can reach up to $1.5 million per calendar year per violated HIPAA requirement.
Organizations will not be punished if their violations that are not the result of “willful neglect” and they correct them within 30 days of becoming aware of them.
Employees of healthcare organizations may face criminal charges, and up to 10 years’ imprisonment and fines of up to $250,000, if they knowingly make patients’ information available to people that aren’t authorized to access them.