HIPAA Requirements

The requirements for HIPAA are expansive, but the major requirements fall into the categories below:

• Administrative Safeguards - Administrative actions, including policies and procedures, to manage the selection, development, implementation, and maintenance of security measures that protect electronic health information and manage the conduct of the covered entity´s workforce in relation to the protection of that information.
• Physical Safeguards - Physical measures, including policies, and procedures, to protect a covered entity´s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
• Technical Safeguards - Technology and the related policy and procedures to protect and control access to electronic protected health information.

The HITECH Act has expanded the reach and scope to include:

• Breach Notification - Establishment of a Federal breach notification requirement for health information that is not encrypted or otherwise made indecipherable. It requires that an individual be notified if there is an unauthorized disclosure or use of their health information.
• Audit Trails - Providing transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record.
• Patient Information Authorization - Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual´s health information without their authorization. Requiring that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities.
• Enforcement - Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.