Passed in 1996, the Health Insurance Portability and Accountability Act did a lot of different things to the medical industry, but when people talk about “HIPAA Compliance,” they are usually referring to the HIPAA Privacy Rule, which set the standards for how individuals’ health records were allowed to be stored and transferred. According to the rule, there are 18 pieces of “Protected Health Information” that cover everything from medical records to payment history – all of which are off limits to anyone who hasn’t been given permission to see them.
Who is in charge of enforcing HIPAA?
The U.S. Department of Health and Human Services is tasked with monitoring organizations to ensure compliance. The HHS’ Office for Civil Rights gets roughly 17,000 complaints every year regarding HIPAA violations, and it decides whether or not legal action needs to be taken.
What HIPAA meant in the age of paper
Well, when everything was just on paper, the only times where private information could accidentally be divulged was in medical studies, or when someone’s chart got lost. Of course, any time another doctor or case worker needed to access that information, another copy needed to be made, followed by another. HIPAA gave proper guidelines for how those copies needed to be secured, as well as how they needed to be disposed of when they were no longer needed. Fortunately, we are transitioning out of this era, because while spending hour looking for a lost piece of paper is horrible, knowing that it could lead to a seven-figure settlement makes it all the more painful.
What HIPAA means in the computer age
Computers allow information to transfer from one party to another faster than ever, which is usually great. But that speed is dangerous when it comes to information as closely guarded as medical records. All it takes is for one document to be sent to a wrong email address, or a single cyber attack, and the next thing you know, that information could be spread across the globe and you have a lawsuit on your hands. Because of this, the medical industry has been slower than most to get away from paper. But the process is indeed happening, and HIPAA helps by providing guidelines for making that transition from paper to computer data a secure one.
What we mean when we say we’re HIPAA compliant
As you probably know, there are really two parts of our business that need to be HIPAA compliant: the document conversion and the data storage. In terms of the conversion itself, it means that our vehicles and storage sight meet the security standards that HIPAA spells out to ensure we are the only people that will have access to the information. We also have a paper shredder here to dispose of the files on the spot, if that’s what you want. Our shredder is awesome. It can shred a full mountain bike in under 10 seconds (I assume).
As for the data storage, our cloud checks all of the boxes for being compliant from a security standpoint. Basically, there are three key aspects to meeting the regulations:
- Access control: These are the software features that prevent unauthorized access to information. It includes unique user identification, automatic logoff, and encryption (both in transit and at rest).
- Physical safeguards: pretty self explanatory, but these barriers need to be in your office, but wherever your database server is as well. These include things like having data automatically backed up to a remote location or cloud, as well as having a facility security plan for if anything goes wrong.
- Administrative safeguards: These add restrictions for access to more sensitive documents and make sure there aren’t unauthorized changes. For this, you need login monitoring, and a way to tier employees so only certain people can access certain information.
These are just a few questions that help give you a better understanding of what we mean when we say we’re HIPAA compliant. This was far from a complete overview of the rules and our specific security checks, so if you have any other questions, don’t hesitate to contact our sales team.