HIPAA Compliance

HIPAA – The Health Insurance Portability and Accountability Act 1996. It is a set of standards introduced by the U.S. Congress consists of rules governing protected health information (PHI) including Security, Privacy, Identifiers, and Transactions and Code Sets. It promotes the protection and privacy of sensitive PHI used within the healthcare industry. Two organizations regulated by HIPAA are covered entities and business associates.

Covered entities are defined in the HIPAA rules as follows:

• Health plans,
• Health care clearinghouses (includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.)
• Health care providers (Doctors, Clinics, Psychologists, Dentists, Chiropractors Nursing Homes, Pharmacies) who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.

The organizations fulfilling rules and regulations of HIPAA in concern to privacy, security and breach notifications is called HIPAA Compliance, which is a mandatory documentation for USFDA medical device regulation in concern to image processing and workflow station software as medical device.

The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

The documentation requirements include:

• Risk Analysis
• Continuity Plan
• Security Practices and Procedures
• Incident Response Plan (Breaches)
• Records Disposal Procedure for Electronic Media and Paper Records
• Employee Training Program
• Termination Procedures
• Audit Logs