The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has raised many questions around IT solutions that support healthcare initiatives. Although HITECH expanded the scope of HIPAA as well as set aside funds for enforcement, true understanding of enforcement and guidance action began with the most recent Omnibus Final rule. As a result, more U.S. Healthcare organizations are increasing their budgets for IT compliance-related initiatives than in previous years. Both the number of investigations and the dollar value of fines has jumped tremendously, exceeding millions of dollars. Some associated class action suits are asking for sums in the billions.
Simultaneously, while overall healthcare IT spending increases, covered entities and business associates face the challenges of meeting the HIPAA Omnibus Final Rule. The challenges include translating the requirements and determining risk within their organization, enforcing further data privacy definitions and establishing security enforcement strategies. Most importantly, those covered entities and business associates spend time and money to adjust policy, procedures and administrative, technical and physical controls in order to reduce the probability of being fined.
All HIPAA covered entities and business associates must comply with security controls to safeguard PHI through the following due diligence efforts: