Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data. The related HITECH Act mandates securing a new regime of electronic health records (EHR) — and prescribes stiff penalties for organizations that fail to do so. Compliance entails deployment of security controls and processes to fulfill the laws.

HIPAA Compliance Videos

The HIPAA Omnibus Rule

HHS OCR – HIPAA Security Rule

Privacy & Security – The New HIPAA Rule

Electronic Health Records: Privacy & Security

About HIPAA / HITECH

HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation’s health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information. The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.

HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply “meaningful use” of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).

Why HIPAA / HITECH Matters to Your Organization

People expect healthcare organizations to keep their personal health information confidential and safe from data breaches and other exploits. Healthcare organizations will also have self-interest at heart because penalties for non-compliance with HIPAA / HITECH can be substantial. In cases of “willful neglect,” a HITECH penalty can be at least $50K per violation up to a total of $1.5 million in a calendar year. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.

Considerations for a HIPAA / HITECH Security Compliance Program

Security is a crucial part of HIPAA / HITECH. The Department of Health and Human Services states, “[It] is important to recognize that security is not a one-time project, but rather an ongoing, dynamic process.” HIPAA therefore requires security-related processes, many of which are often best implemented with automated technology. HIPAA regulations do not mandate particular security technologies. Instead, they specify a set of principles for guiding technology choices — principles that mirror those underpinning the on-demand vulnerability management and policy compliance solutions.

Your organization’s compliance program should address three issues:

  1. Selecting and deploying security controls that meet HIPAA & HITECH requirements
  2. Providing a way to regularly audit the status of those controls to ensure continuous protection of PHI and EHR
  3. Ongoing compliance

Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.

HIPAA Compliance White Papers

HIPAA Enforcement

Enforcement

Penalties for Violating HIPAA

Penalties

Get The Latest Healthcare Security and Compliance News Sent Directly To Your Inbox

Fill In The Form Below for industry news, information about our services, events, webinars and more.