top of page
Search

HIPAA 101: The Basics

Updated: Feb 21

What is HIPAA?

  • HIPAA is a combination of law and regulation that dictates how healthcare providers, clearinghouses, insurers, and their respective business associates are to handle Personally Identifiable Health Information (PHI).

  • Originally passed in 1996, the law and its regulatory extension have had numerous updates, resulting in the requirements that now exist.


Who must comply?

HIPAA applies directly to:

  • Healthcare Providers / Practices

  • Healthcare Clearinghouses

  • Healthcare Insurers (including employers who self-insure their employees' healthcare)

  • The Business Associates of all of the above (which typically includes IT providers, software vendors, cloud service providers, attorneys, accountants, and others.)


What are the core requirements?

While there are a lot of requirements for the different regulated entities, I'm going to focus on this from the perspective of the small or medium practice.

  • In the shortest terms possible, HIPAA requires that practices take certain steps to protect PHI from unauthorized disclosure.

  • PHI is personally-identifiable information relating to the diagnosis, treatment, or payment of any past, present, or future patient.

  • HIPAA requires fundamentally, among other things, practices identify and mitigate risks to PHI.


What are the consequences of noncompliance?

  • Fines against the practice (the average is around $1MM)

  • Imprisonment of 1-10 years

  • Fines against individuals from $1,000-$100,000

Some violations of HIPAA can also be violations of other government regulations, such as Medicare regulations and the False Claims Act - which also carry their own penalties.


How do we become compliant?

  • The first step is education - you can't pursue compliance if you don't know what you're trying to comply with. Every practice needs a compliance officer who is deeply knowledgeable with the regulation.

  • Then you can begin working through the risk management process, establish compliant policies and procedures, train all staff, track certain indicators, and eventually establish a fully functional, verifiable, defensible compliance program that ensures that the practice is taking the steps necessary to manage risks to PHI.

 
 
bottom of page