Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) mandates protecting the privacy and security of patients’ confidential health information, including when and with whom that information can be shared.
A supplemental HIPAA Privacy Rule regulates the use and disclosure of patient data—whether verbal, written, or electronic (both via email and file transfer)—for health care providers, health plans, and health care clearing houses, all known as covered entities. The HIPAA Security Rule specifically defines security standards for the management of personal health information in electronic form (ePHI) by covered entities.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (2010) and the HIPAA Omnibus Rule (2013) strengthen HIPAA’s privacy and security rules and toughens the penalties for breaches in patient privacy and health information security.
Covered entities must be in compliance with HIPAA’s privacy and security standards even if they contract with vendors to perform some of their essential functions. In other words, your responsibilities and liabilities under HIPAA extend to all of your business associates. These include labs, billing offices, clinical services, and the like, as well as the providers of your cloud-based IT services.