If you work in the healthcare or behavioral health industry, there’s a good chance your organization has access to electronic Protected Health Information, also known as ePHI. Because your workplace handles sensitive patient information on a day to day basis, you may be curious about what HIPAA (Health Insurance Portability and Accountability Act) regulations your facility must abide by. Failure to comply with certain regulations can lead to substantial fines, and even criminal charges, so it’s critical to stay up to date on the latest HIPAA requirements.

Before we go over our HIPAA compliance guide, let us first discuss HIPAA compliance in further detail.

The 411 On HIPAA Compliance

Stemming from the Health Insurance Portability and Accountability Act of 1996, HIPAA compliance involves fulfilling certain standards of how businesses handle PHI records. This act was not only enforced to protect the personal information of patients, but it was also used to encourage healthcare providers to get rid of paper records and move towards secure, electronic filing processes.

The HIPAA Privacy Rule

The HIPAA Privacy Rule explains how and when healthcare professionals, behavioral health experts, skilled nursing services, and schools can or cannot access personal health information. For example, if you end up in the hospital after a heart attack and you want your PHI to be accessible to your girlfriend or boyfriend, the law will require you to sign a HIPAA PHI Release Form before your doctor can hand over this information.

The HIPAA Breach Notification Rule

According to the HIPAA Breach Notification Rule, a facility has 60 days to notify an individual or patient of improper use of their PHI. For example, if your hospital faces a ransomware attack from internet hackers and gains access to a patient’s medical history, they will need to be notified about the event. If, the ransomware attack has affected more than 500 PHI records, your healthcare facility is required to notify the Department of Health and Human Services, and you’ll need to issue a press release about the breach.

When reporting a HIPAA violation, you should share the following information:

  • What type of PHI was affected and how the data was made available.
  • The person or people who had unauthorized access to the data.
  • What you have done to mitigate the damage.

In part two of this two-part series, we’re going to look at a list of common HIPAA violations you should be aware of.

If you’re looking for a HIPAA compliant messaging system for your hospital or healthcare facility, be sure to learn more about Inpriva’s hDirectMail plans. Our secure messaging system was originally developed for interoperable, secure messaging between healthcare providers and business associates, but it has extended to support the needs of other industries as well. Our hDirectMail plans start at just $99 a year for three hDirect addresses, but we also offer cost-effective plans that can be sized to meet your organization’s needs. Visit our plans and pricing page to see what plan will work best for your facility.