Health Insurance Portability and Accountability Act (HIPPA)
HIPPA is a US federal law to regulate the sensitive health information of the patients. Organisations providing healthcare services and dealing with sensitive health information of US residents need to comply with it.
What is HIPPA?
What is HIPPA?
The Health Insurance Portability and Accountability Act (HIPPA) is a United States legislation. Under this Act, the Secretary of the U.S. Department of Health and Human Services (HHS) developed HIPPA Privacy Rule and HIPPA Security Rule. HIPPA Privacy Rule establishes national standards for the protection of electronic protected health information (e-PHI) and HIPPA Security Rule establishes security standards for the protection of e-PHI held or transferred in electronic form.
- Application
- The security rules are applicable on “covered entities” which includes health plans, pharmacy,
- radiology and electronic health records (EHR) labs, health care clearinghouses, laboratories and to any health care provider.
- Requirements
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or
- transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the
- information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
- Risk Management of e-PHI
- Administrative safeguards: security management process, Information access management,
- workforce training and management, and workstation and device security.
- Technical safeguards: Access control, integrity controls, and transmission security etc.
Non-compliance
HHS may impose civil money penalties up to $100 per failure. The upper limit for penalty per year is $25,000. If anyone discloses or obtains information with malicious intention, it may attract criminal penalty of $50,000 and up to one-year imprisonment. This fine and imprisonment may increase due to additional factors of false pretences, intention to sell or transfer PHI, or use it for commercial purposes or malicious harm.
- Application
- The security rules are applicable
- on “covered entities” which includes health plans, pharmacy, radiology and electronic health records (EHR) labs, health care clearinghouses, laboratories and to any health care provider.
- Requirements
- Ensure the confidentiality,
- integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against
- reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably
- anticipated, impermissible uses or disclosures.
- Ensure compliance by their
- workforce.
- Risk Management of e-PHI
- Administrative safeguards:
- security management process, Information access management, workforce training and management, and workstation and device security.
- Technical safeguards:
- Access control, integrity controls, and transmission security etc.
Non-compliance
HHS may impose civil money penalties up to $100 per failure. The upper limit for penalty per year is $25,000. If anyone discloses or obtains information with malicious intention, it may attract criminal penalty of $50,000 and up to one-year imprisonment. This fine and imprisonment may increase due to additional factors of false pretences, intention to sell or transfer PHI, or use it for commercial purposes or malicious harm.
How our privacy team can help
At Tsaaro’s, our privacy team comprises of experienced lawyers and InfoSec professionals. Together we ensure that your organisation is compliant with all regulatory requirements along with best possible technical and infrastructural solutions. We provide personalised plans to our customers to inculcate data protection by design and by default in their processes in a cost efficient manner.
- Assess the applicable global personal data protection laws
- (Regulatory Assessement)
- Ensure Data Protection by Design.
- Protection your organisation against hefty fines.
- Improve customer and investor’s trust in your organisation.