< Back to Thought Leadership

HIPAA and Covered Entities

Anyone who works in the healthcare industry knows that their organization takes steps to protect patient health information under a series of guidelines known as HIPAA.

There are several provisions to HIPAA that require organizations to use Federal guidelines to ensure digital health information is secure. Those provisions include:

  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Omnibus Rule

These provisions guide organizations on how to maintain proper security measures to keep an individual’s identifiable health data secure. Below we explore each of these provisions a little more:

The Privacy Rule

The Privacy Rule was created to provide national standards for protecting all health information that can identify a person. This includes any medical condition, healthcare payments and any changes in healthcare. Any healthcare provider, healthcare billing center, or health plan is required to follow the Privacy Rule.

The primary goal of this rule was to protect the individual’s data as it moves from one organization to another.

The Security Rule

The Security Rule created the standard for protecting health information that is either transferred or stored electronically. This rule established various guidelines that covered entities have to have in place in order to keep the health information secured.

The Enforcement Rule

The Enforcement Rule created provisions to what happens if a covered entity violations HIPAA. It relates to both the compliance side of HIPAA and investigation procedures following a violation.

The Omnibus Rule

The Omnibus Rule strengths both the Privacy and Security Rule. The main purpose of this rule was to help implement the guidelines set by the other rules and deliver fines to covered entities that break either the Privacy Rule or Security Rule.

An important part of the Omnibus Rule is the Breach Notification Rule.

The Breach Notification Rule

The Breach Notification Rule was created to required HIPAA covered entities to report on breaches of protected health data. Breaches are any impermissible use or disclosure of the protected health data. When a covered entity discovers there has been a breach in their healthcare data, they have to take the following steps to notify the affected individuals, the Secretary and the media.

  1. The covered entity must notify all individuals that were affected by the data breach by either letter or email.
  2. If the data breach affected more than 500 individuals, the covered entity must notify the media.
  3. Finally, the covered entity has to notify the Secretary.

Covered entities are also required to document all forms of notification have been completed following a healthcare data breach. These organizations are also required to have policies in place in case of a data breach that train employees on preventing and handling data breaches.

The Importance of a Complete and Detailed HIPAA Security Risk Assessment and Vendor Risk Management

With more covered entities storing protected health information electronically it is important to fully understand the location of all of your organization’s healthcare data covered by the HIPAA Security Rules. This needs to be accomplished in your annual HIPAA Security Risk Assessment. If HHS investigates a data breach, they will review your risk assessment process.

If HHS determines your organization has not adequately identified all locations your healthcare data resides, your risk of higher fines will increase. Additionally, the importance of business associate agreements and the requirements of your key vendors who poses your data needs to be clearly articulated, and perhaps even audited.

It is important that your organization has a high-quality vendor risk management program in place. By outsourcing certain aspects of your operations or information processing, you have not outsourced your responsibility for protecting that information.

Sound due diligence and clear expectations of your critical service providers need to be established, documented, and validated to demonstrate you have taken the necessary steps to ensure your data is protected, regardless of if it is in your systems or your vendors.

If you have any questions of would like to discuss this further, feel free to reach out to your local Blue & Co. advisor or Thomas Skoog.

woman using a quickbooks point of sale system

Blue & Co. Offers Expertise to Not-For-Profits Affected by QuickBooks Point of Sale Discontinuation

By Nancy Orben, CPA, Senior Manager, Laura Philpot, Senior Accountant, Business Services, and Lisa Totten, Senior Accounting Specialist at Blue & Co. Attention all not-for-profit organizations! Are you currently using QuickBooks Point of Sale in your gift shops, ticket sales, or day-to-day business? If so, you may have heard the recent news that Intuit will […]

Learn More

Contract Services: Impact on Wage Index

In the past several years, hospitals have continued to feel the impact of increased utilization of contract nursing and other contract services. Although these services have developed into a major expense line item, it is important for hospitals understand how expenses related to contracted services can impact the wage index factor for Medicare reimbursement. Contract […]

Learn More
shamrocks not-for-profit tips

3 Lucky Tips for Not-For-Profits to Avoid Bank Fraud

Trusted Insights from The National Bank of Indianapolis Nonprofit Services Team Not-for-profit organizations are increasingly falling victim to fraud, with a rising number of incidents and an ever-growing amount of money being lost. Fraudsters find it easy to target not-for-profits, as their publicly available 990s provide valuable information. Protecting your organization from such fraudulent activities […]

Learn More