What is HIPAA?
The Health Information Portability and Accountability Act (HIPAA) is a United States regulation designed to protect personal healthcare information (PHI). PHI includes conversations between a patient and their provider about a treatment, any medical information stored by the healthcare provider, and patient billing information.
Who is affected by HIPAA?
HIPAA applies to anyone who stores, transmits, or processes PHI. HIPAA requirements apply to both covered entities and business associates. Covered entities directly interact with the patient and include health plans, healthcare clearinghouses, and healthcare providers. Business associates are any vendors or subcontractors that provide services to the covered entity that would give them access to PHI data or the devices that store it.
How can GhostVolt help towards compliance?
Encryption of data at rest and in transit is one of the core requirements of the HIPAA regulations. In fact, an organization is not even required to report a breach of PHI if all data included in the breach was encrypted. Ghostvolt provides a storage solution where data is encrypted at all times and access can be managed at a per-user level, putting an organization in line with HIPAA’s encryption requirements.
What are the penalties of non-compliance?
Penalties for non-compliance with HIPAA can be severe. HIPAA has four different tiers of breaches and fines for a violation of HIPAA can be $100-50,000 per violation with a yearly cap of $1.5 million per tier (or $6 million total). Non-compliance also can result in civil or criminal charges depending on the details of the infraction.
How does HIPAA handle healthcare data breaches?
The Office for Civil Rights (OCR) is the agency that enforces the HIPAA regulations. If a potential breach has been detected, the OCR will investigate and determine if and how an organization violated HIPAA requirements. After this is determined, the OCR can levy fines or press charges.
What are my main responsibilities under HIPAA?
HIPAA is composed of the Privacy Rule and the Security Rule, and an organization with access to PHI is required to be compliant with both. The Privacy Rule lays out national standards for the protection of PHI, while the Security Rule describes specific security controls that an organization is required to implement. Of these requirements, the need for encryption of PHI is of the highest importance, and a breach of encrypted data falls under Safe Harbor and is not necessary to report.