The HIPAA privacy rule sets out rules for how doctors, clinics, dentists, nursing homes, hospitals, and other healthcare providers protect your personally identifiable health information.
This can include implementing safeguards to prevent unauthorized access to patient records and responding promptly when patients request their information. It can also include making sure all employees know how to handle the privacy of patient data.
What is a covered entity?
A covered entity under HIPAA Compliant Email is any health plan, health care clearinghouse or covered health care provider that electronically transmits any type of protected health information. This includes your doctor, hospital, insurance company and health insurance plan – no matter if you are insured by a private, employee, state or federal plan.
However, this doesn’t mean that all of these entities are HIPAA-compliant. Under HIPAA, they must have a written contract or other arrangement with their business associates that establishes specifically what the associate is engaged to do and requires the associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.
The size of a covered entity and its business model will affect the number of associates it contracts with, as well as the complexity of managing those relationships. Larger Covered Entities generally find it easier to manage their Business Associates than small ones.
What is a business associate?
A business associate is a person or entity that creates, receives, maintains or transmits protected health information on behalf of a covered entity. This includes document storage companies, personal health record vendors, and data transmission companies.
Several commenters asked for clarification as to whether entities such as Health Information Organizations or E-prescribing Gateways were included within the definition of “business associate.” This was not clear from the statutory language, so we decided to include them in the final rule’s definition of business associate.
In addition, a third party contractor who has their duty station at a covered entity and who has more than incidental access to protected health information is a business associate. This may be an important consideration when dealing with cloud-based document storage companies, since such a company is considered a Business Associate to the extent that it stores protected health information on behalf of a covered employer.
What is an authorization form?
An authorization form is a document that’s duly endorsed by an individual or organisation that grants permission to another individual or organisation to proceed with certain actions. These forms are often used to grant permission to carry out a specific action for a fixed period of time.
A credit card authorization form is a type of authorization form that helps businesses process purchases without needing the cardholder’s physical credit card present at the time of the transaction. This can help a merchant save time on completing credit card transactions and avoid chargeback abuse.
Authorization forms are typically used by businesses who want to continually charge a cardholder’s credit card over a certain period of time. This is especially true for recurring payments, such as subscription-based services or online retail stores.
What is a breach?
A breach is a security event that results in the unauthorized access of unsecured protected health information (PHI). Covered entities and business associates must report breaches within 60 days of discovering them.
Those breaches must be reported to the HHS, relevant state attorneys general, and, in certain circumstances, to affected individuals. Breach notification letters must be sent by first class mail to the last known address of each individual impacted, or if that individual has given authorization, by email.
One example of a breach is if a technician accidentally views a patient chart while she’s doing her authorized job, but she doesn’t disclose the PHI in a way that violates the rule. If she shares the chart with a friend, however, she could violate the HIPAA rule by sharing it in an unallowable manner.
Conclusion
Maintaining HIPAA compliance is a long-term commitment. Implementing access management solutions is a crucial step to ensure teams have only the permissions they need while keeping PHI safe from unauthorized users.