Security and compliance requirements for healthcare IT are complex and constantly evolving. To meet them, healthcare practices and organizations must understand two important acronyms—HIPAA and HITRUST—including what they mean, how they impact each other, and how they affect the IT decisions you make.
All that makes it difficult for provider organizations to fully understand what they need to do to mitigate security risk. But the stakes are high. Without the proper systems in place, healthcare organizations may be exposed to security breaches or noncompliance with industry standards. Penalties can be directed at providers, the organization, and even individuals who have responsibility for the organization’s security policies and practices. What’s more, the impact of bad press and loss of patient trust may never be fully recoverable. Unfortunately, many providers still struggle to create and maintain effective risk-mitigation policies and procedures. For resource-constrained healthcare IT departments, an additional challenge is to understand the requirements and implement them with an IT strategy that is also affordable, manageable, and scalable over time. A first step is to be aware of security requirements and resources available to address them. HIPAA and HITRUST are two important acronyms to understand, including what they mean, how they impact each other, and how they impact the IT decisions you make.
The Health Insurance Portability and Accountability Act (HIPAA) enacted by Congress in 1996 was designed to help healthcare providers effectively transmit health information and claims data. The law gives patients control over who can be given access to or share their personal information and includes privacy and security requirements for electronic information sharing. HIPAA defines standards for organizations to safeguard patient data as well as repercussions if those organizations fail to do so. That means that healthcare providers, health plans, healthcare clearing houses—as well as business associates of HIPAA-covered entities—must implement safeguards to protect patients’ sensitive personal health information (PHI).