HIPAA, also known as Public Law 104-191, has two main purposes:
- To provide continuous health insurance coverage for workers who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions.
- Other goals include combating abuse, fraud, and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
HHS expanded the act when it put the HIPAA omnibus rule in place in 2013 to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These guidelines concern the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
The HHS Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016 clarifying that cloud service providers and other business associates of healthcare organizations are covered by the HIPAA privacy, security, and breach notification rules. HIPAA violations can prove quite costly for healthcare organizations. The HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach. In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights. Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.
In 2010, the Federal Trade Commission extended the breach notification rule and its enforcement to healthcare organizations not covered by HIPAA, including vendors of electronic health records (EHRs) and EHR-related systems. OCR undertook its first round of HIPAA audits of healthcare organizations in 2012 and 2013. Those pilot audits carried no fines or penalties.
A considerably wider, formal round of desk and in-person audits of about 200 healthcare-covered entities and business associates began in 2016 and continued into 2017. These audits were expected to carry fines or corrective plans. OCR further strengthened the HIPAA security rule in 2016 by releasing a crosswalk between aspects of the National Institute of Standards and Technology’s Cybersecurity Framework to identify cybersecurity gaps and align HIPAA with national cyber security standards.
Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR has six educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs, as well. Healthcare providers may also choose to create their training programs, which often encompass each organization’s current HIPAA privacy and security policies, the HITECH Act, mobile device management processes, and other applicable guidelines.
While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.