Ever Heard of HIPAA?


We all know that “Health is wealth” and strive hard to stay fit and healthy.

Relax, I am not writing this blog to provide ways and tips on “How to be Healthy”.

But I am here to focus and emphasize on the upsurge of Health apps & wearables in the market and a major compliance called HIPAA that most of these apps have to abide by.

Ever Wondered What HIPAA means?

Many of you would have been puzzled by the term HIPAA usually mentioned in the description of many health apps available in the market. Let me introduce you to this kind of weird sounding word.

HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and is a United States legislation that provides data security and privacy measures for protecting medical data.

HIPAA does the following:

  • Provides the ability to transfer/continue health insurance for a lot of American workers and their families when they change/lose their employment;
  • Lessens health care fraud/abuse;
  • Formulates industry-wide standards for health care information on electronic billing and other processes.
  • Requires the protection and confidentiality of protected health information.

HIPAA, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes:-

Covered entities (CE), people who provides treatment, payment and operations in healthcare.

Business associates (BA), people with access to patient data and provides support in treatment, payment or operations.

How organizations can Reduce the Risk of Regulatory Action ?

Organizations can reduce the risk of regulatory action by training their employees on HIPAA compliance. The OCR (Office of Civil Rights) has six educational programs on complying with the privacy and security rules; a number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization’s current HIPAA privacy and security policies, the HITECH Act, mobile device management processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.

HIPAA privacy Rule:-

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

Dos & Don’ts of Hosting Data with a HIPAA Compliant Hosting Provider?

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

  • Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
  • Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
  • Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
  • Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
  • Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

Another act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which add on to the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in accordance to health technology development and increased use, storage and transmittal of electronic health information.

I am sure in the past 5 mins, HIPAA no longer remains an alien term to you and the next time you read/listen HIPAA you will understand and appreciate its significance to the health tech industry and their consumers.

Now let me end with a useful insight: By 2017 the app market is expected to reach 26 billion users the key driver being the world’s aging population with its increasing need for medical care. And thus HealthCare companies should not wait any longer but join hands with technology and make this world a healthier place with a plethora of easy to use Health apps.

about the author