Comprehensive Compliance with HIPAA Part 164
Although HIPAA has been in effect for over two decades, compliance with the law is still not a straightforward task. Many still lack the appropriate measures applicable to their organisation or are unsure of how to comply with all of the HIPAA Rules set out in Part 164. Alyne’s technology can facilitate this process, and offers a comprehensive mapping of Part 164 of the HIPAA regulation, covering the provisions of the HIPAA Data Privacy, Security Controls and Breach Notification Rules.
Although the Health Insurance and AccountabiIity Management Act (HIPAA) was first enacted into law in 1996, compliance still remains an often challenging task, leaving many Covered Entities and business associates lacking the appropriate measures and still unsure of how to comply with all HIPAA Rules set out in Part 164. The law was designed to provide consumers with greater access to healthcare insurance, reduce fraud, protect the privacy and security of healthcare information and promote efficiency and standardisation within the sector. The HIPAA regulations apply to any Covered Entities which handles health or healthcare-related data, including financial clearinghouses, and any provider that uses or transmits Personal Health Information (PHI).
According to a report by Research and Markets, the global mobile health app market is expected to hit US$134.7 Billion by 2027. In fact, two-thirds of the world’s largest hospitals offer mobile apps to their patients. With the rise of telehealth, the need for data security in the healthcare space has increased the use and sharing of patients’ Electronics Health Record (EHR).
The proliferation of digital technologies has changed the way that many healthcare providers operate. As efficiency and connectivity increased, so did the storage and transmission of key pieces of confidential health information, mandating an even greater need for the security and privacy of patients’ information. HIPAA regulates the security, privacy and protection of Personal Health Information (PHI) held by the covered entities and third parties, and provides individuals with rights to understand and control how their health information is used or disclosed.
Alyne’s Comprehensive Coverage of HIPAA Part 164
When working to achieve compliance with HIPAA, companies often focus exclusively on § 164 Subpart C (Security Standards). Technically, to ensure full compliance with HIPAA, Covered Entities will need to also apply the rules set out in § 164 Subpart D (Breach Notification) and § 164 Subpart E (Privacy Aspects).
Alyne’s coverage of HIPAA primarily focuses on Part 164 of the regulation, which covers the HIPAA Security and Privacy rules. The HIPAA Privacy Rule (Subpart E) focusses on allowed and prohibited uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) along with data subject rights. Additionally, the Security Rule (Subpart C) is the security standard for the protection of PHI, defining both technical and non-technical requirements for safeguarding health information.
HIPAA Privacy Rules
The HIPAA Privacy Rule (Part 164 Subpart E) focusses on the many uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) with data subject rights. This includes medical records and other personal health information, and it applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.
HIPAA Security Rules
The HIPAA Security Rule (Part 164 Subpart C) is the security standard for the protection of electronic PHI (e-PHI). This set of rules ensures that there are both technical and non-technical safeguards (which include administrative and physical) to ensure that ePHI is transmitted and handled in a secured and responsible manner.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule (Part 164 Subpart D) requires Covered Entities and their Business Associates to notify affected individuals and the media of a breach of unsecured PHI. Depending on its severity, if the data breach affects 500 and more individuals, the Secretary of Health and Human Services has to be informed no later than 60 days following the breach.