Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
Who is required to comply with HIPAA laws? The HIPAA law applies directly to these groups, called covered entities. Covered Entities include Healthcare Providers, Health Plans, and Business Associates. So what's a Covered Entity? A Covered Entity is any provider of medical or other health services, or a person that has PHI (also known as Protected Health Information). They are Healthcare Providers, Health Plans, and organizations and individuals that provide bills or are paid in connection with services in the normal course of business. What is a Health Plan? A Health Plan is any individual or group plan that provides or pays the cost of healthcare such as an HMO, insurance company, Medicaid, or Medicare. What is a Business Associate? A business associate is any company or individual with direct or incidental access to PHI in support of your business. Business associates are required to have risk assessments, training, policies and procedures which we call the book of evidence just like covered entities. They are required to notify covered entities of any potential and active data breaches to ensure and protect PHI at all times.
In this lesson, we'll go over who's required to comply with HIPAA laws and the group the law directly applies to – covered entities. You may notice a bit of overlap from the lesson – What is HIPAA. Not to worry; it's all part of the secret sauce. Repetition is how we learn.
Covered entities include:
A covered entity is any provider of medical or other health-related services, or a person that has access to protected health information. Examples include healthcare providers and health plans, but also organizations and individuals that provide billing services or are paid in connection with these services in the normal course of doing business.
A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare.
A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place:
Examples of business associates include:
Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA).
At the end of the last lesson, we took a look at some guidelines and best practices for protecting PHI during communications, whether they be written, spoken, or electronic. In this section, we're going to tackle workstation use and workstation security and provide you with some guidelines for keeping them safe and secure.
Along with workstation use and workstation security, there are two other standards when it comes to HIPAA's Physical Safeguards for protecting PHI – facility access controls and device and media controls. (Which we'll likely address in detail at another time.)
HIPAA's Security Rule defines Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
The HIPAA Privacy Rule defines a workstation as any "electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment."
Inappropriate use of workstations increases a covered entities risk, including those pertaining to virus attacks and other breaches. To comply with the workstation use standard, HIPAA requires all covered entities to:
"Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation of class of workstation that can access electronic protected health information."
It should be noted that this workstation use standard also includes remote work environments – any work from a remote location (home, travel, satellite office) – where employees have access to ePHI.
Workstation security is another standard that has been put in place to better protect PHI. This standard requires covered entities to:
"Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users."
So, what are some safeguards or guidelines that will help protect PHI and ePHI at workstations? What a well-timed question.
To help protect PHI at workstations, consider implementing the following strategies: