If we met here, on the Empeek insights page, you probably have some digital health ideas. New healthcare app? Ongoing EHR project? Telemedicine startup concept? Anyway, you strive to help people receive better health care. So Kudos, we’re here to light the way.
Since patients’ health records are the most sensitive data, you should treat them properly. When Bill Clinton signed HIPAAct in the mid-’90s, he and the congress were all about data protection. Nowadays, HIPAA compliance is not rocket science, but still requires consistency, responsibility from the covered entities.
HIPAA covers any health care company that receive, transfer, or change patient-related data inside the EHR or ePHI systems. So, there’s a lot of restrictions, requirements, and penalties. Let’s dive in.
Who Does HIPAA Apply To?
Health Plans – With some exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many types of organizations and government programs as health plans.
Health Care Clearinghouses – A public or private entity, billing service, repricing company, or health management information system that processes health information. It may receive it from another entity or gather this data.
Health Care Providers – A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the ordinary business process.
Health Care – Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items following a prescription.
How to become a hybrid HIPAA entity?
There are also hybrid entities that Privacy Rule recognizes as ones who avoid the global application of the Rule, though the hybrid entity designation provisions.
To become a hybrid entity, you must designate the health care components within its organization. Health care components must include any component that would meet the definition of the covered entity if that component were a separate legal entity. It can also include anything that conducts covered functions (i.e., noncovered health care provider).
Key HIPAA Compliance Components
To understand HIPAA compliance is to understand three pillars of the Act: Privacy Rule, Security Rule, and Breach Notification Rule.
The HIPAA privacy rule is about keeping sensitive data like personal health information secure.
It covers any bit of data that comes about:
- The patient’s physical or mental health condition;
- The class of healthcare provided to the patient;
- Healthcare service payment information;
- Name, address, birth date, and SSN.
The Privacy Rule helps patients to protect their data and get a copy of their health records instantly and correct it shortly.
When it comes to HIPAA security rule, you need to adopt the technologies and algorithms for ePHI protection. First, you need to analyze the risks and make sure your organization can tackle them.
Here is the main requirements checklist:
- Every bit of patient health records data should be encrypted on every stage: creating, changing, sending, etc.
- The organization should clarify the PHI risks and strive to prevent them in the long-term.
- Only to the HIPAA covered employees can access patient-related data.
- Every staff member should be familiar with the HIPAA compliance rules
Anyway, there’s a lot of companies that have had a legacy IT system that cannot deal with 2020 health information security branches and vulnerabilities. That’s why we consult HIPAA-covered entities to modify their security infrastructure to tackle new challenges smartly.
HIPAA Breach Notification Rule covers the cybersecurity topic, as it’s one of the most popular themes in the last years. It requires you to notify the affected patients, Health & Human Services Departments, and local media if there’s a security breach in your organization. You should do it within 60 days since the threat disclosure moment. If the breach had affected <500 patients, you could report it to the Health & Human Services Department annually.
Is Google Drive, Gmail, and Zoom HIPAA compliant?
Yes, but there are nuances. Google Support Page shows that the company declares customers’ privacy as the top priority.
As a part of G Suite, Google Drive satisfies the HIPAA needs. The platform has a transport layer security algorithm, which does protect sensitive data well.
Zoom also takes the security seriously and offers HIPAA-compliant plans for covered entities.
Yet, HIPAA controls the usage of technologies, not the services alone. You must think not only about Google Drive itself but also about how you’re using it.
If your employee correctly handles the PHI files in G Suite, then your company processes are HIPAA-compliant. Though, if an employee fails to operate the data, you violate the HIPAA rules.
Again, if you choose Google Drive as your HIPAA-compliant data sharing partner, you enter a high-risk and high-responsibility zone. And that’s why we often partner with healthcare providers to make sure the human factor won’t cause penalties.