< Back to Thought Leadership

HIPAA and Covered Entities

Anyone who works in the healthcare industry knows that their organization takes steps to protect patient health information under a series of guidelines known as HIPAA.

There are several provisions to HIPAA that require organizations to use Federal guidelines to ensure digital health information is secure. Those provisions include:

  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Omnibus Rule

These provisions guide organizations on how to maintain proper security measures to keep an individual’s identifiable health data secure. Below we explore each of these provisions a little more:

The Privacy Rule

The Privacy Rule was created to provide national standards for protecting all health information that can identify a person. This includes any medical condition, healthcare payments and any changes in healthcare. Any healthcare provider, healthcare billing center, or health plan is required to follow the Privacy Rule.

The primary goal of this rule was to protect the individual’s data as it moves from one organization to another.

The Security Rule

The Security Rule created the standard for protecting health information that is either transferred or stored electronically. This rule established various guidelines that covered entities have to have in place in order to keep the health information secured.

The Enforcement Rule

The Enforcement Rule created provisions to what happens if a covered entity violations HIPAA. It relates to both the compliance side of HIPAA and investigation procedures following a violation.

The Omnibus Rule

The Omnibus Rule strengths both the Privacy and Security Rule. The main purpose of this rule was to help implement the guidelines set by the other rules and deliver fines to covered entities that break either the Privacy Rule or Security Rule.

An important part of the Omnibus Rule is the Breach Notification Rule.

The Breach Notification Rule

The Breach Notification Rule was created to required HIPAA covered entities to report on breaches of protected health data. Breaches are any impermissible use or disclosure of the protected health data. When a covered entity discovers there has been a breach in their healthcare data, they have to take the following steps to notify the affected individuals, the Secretary and the media.

  1. The covered entity must notify all individuals that were affected by the data breach by either letter or email.
  2. If the data breach affected more than 500 individuals, the covered entity must notify the media.
  3. Finally, the covered entity has to notify the Secretary.

Covered entities are also required to document all forms of notification have been completed following a healthcare data breach. These organizations are also required to have policies in place in case of a data breach that train employees on preventing and handling data breaches.

The Importance of a Complete and Detailed HIPAA Security Risk Assessment and Vendor Risk Management

With more covered entities storing protected health information electronically it is important to fully understand the location of all of your organization’s healthcare data covered by the HIPAA Security Rules. This needs to be accomplished in your annual HIPAA Security Risk Assessment. If HHS investigates a data breach, they will review your risk assessment process.

If HHS determines your organization has not adequately identified all locations your healthcare data resides, your risk of higher fines will increase. Additionally, the importance of business associate agreements and the requirements of your key vendors who poses your data needs to be clearly articulated, and perhaps even audited.

It is important that your organization has a high-quality vendor risk management program in place. By outsourcing certain aspects of your operations or information processing, you have not outsourced your responsibility for protecting that information.

Sound due diligence and clear expectations of your critical service providers need to be established, documented, and validated to demonstrate you have taken the necessary steps to ensure your data is protected, regardless of if it is in your systems or your vendors.

If you have any questions of would like to discuss this further, feel free to reach out to your local Blue & Co. advisor or Thomas Skoog.

Blue & Co., LLC Announces New Partnership With Vsimple | Vsimple and Blue and Co logo

Blue & Co., LLC Announces New Partnership With Vsimple

CARMEL, Ind. (May 5, 2022) – Blue & Co., LLC is excited to announce our new partnership with Vsimple, a workflow management software company based in New Albany, IN.  Blue & Co and Vsimple will be working closely together to address the workflow and process improvement challenges of manufacturers throughout the Midwest. “At Blue & […]

Learn More
Proposed Rule FY 2023 for Skilled Nursing Facilities

Proposed Rule FY 2023 for Skilled Nursing Facilities

It is that time of year again! The Center for Medicare and Medicaid Services (CMS) has issued the proposed rule that would update Medicare payment policies and rates for the fiscal year (FY) 2023’s Skilled Nursing Facility (SNF) Prospective Payment System (PPS). The Patient Driven Payment Model (PDPM) was implemented on October 1, 2019. This […]

Learn More
Coverage Scheduling Solutions for Physician Practices and Hospital Systems

Scheduling Solutions for Clinician Work-Life Balance

One of the most challenging conversations in any multi-physician practice or specialty-based hospital employed group is about how to create a fair distribution of on-call and/or inpatient hospital service coverage while balancing the duties of an outpatient practice. The COVID-19 pandemic has contributed to clinician burnout, and physicians and Advanced Practice Providers (APPs) place significant […]

Learn More