About This Page
A Brief Time-Line of HIPAA
HIPAA (Health Insurance Portability and Accountability Act) was created. It was written as a foundation for the protection of consumers private health information and purposely vague to allow for the law to develop.
The Privacy Rule was added. This defined PHI (Protected Health Information) and defined the civil and criminal penalties of non-compliance.
The Security Rule was added. This defined the framework for ePHI (electronic Protected Health Information) which was very confusing to covered entities (CE's), many of whom did not have dedicated IT staff.
The HITECH Act (2009) and the HIPAA Omnibus Final Rule (2013) were added. The Affordable Care Act (ACA) put funding and 'teeth' into HIPAA which due to confusion was mostly ignored. HITECH and HIPAA Omnibus Final Rule were added and in doing so, funding was provided to increase HIPAA enforcement and to create incentive programs for CE's to switch to government standardized Electronic Health Records (EHR) systems. Further, these laws now defined Business Associates (BA), that is; anyone providing a service to a CE that may or may not come in contact with a PHI, or ePHI record must also be able to prove HIPAA compliance on the systems and processes they run to service the CE.
The Audit Program Program Protocol was developed. The Office for Civil Rights (OCR), in conjunction with the United Stated Department of Health and Human Service (USHHS) worked to develop an audit protocol that they will use to verify compliance. In April 2013, the protocol was released to the public. As of October 2014, the audit program contains 169 items to audit (40 are categorized as required, 27 addressable, and 102 are listed as n/a because they don't know yet how CE's and BA's are doing with these yet).
A pilot program was run to conduct and test the audit protocol. 66 percent of the CE's failed to perform a comprehensive, accurate security risk assessment, The most commonly stated reason was that they were unaware of the requirements. Smaller healthcare providers, mainly ones without dedicated staff dealing with HIPAA, and IT staff working to fix issues made up majority of those that failed during the pilot program.
The real audits started. Most CE's that were targeted were caught unexpectedly and violations were found. Most have settled. Smaller CE's are next, and then it's on to Business Associates. Are you ready ?