HIPAA has been around since 1996, but most people’s understanding is limited to a vague notion of protecting private information and having to constantly sign waivers when they check in for a doctor’s appointment. But the Health Insurance Portability and Accountability Act has far wider implications than just some extra signatures in the waiting room – it also represents a major opportunity for MSPs.
Although HIPAA’s original purpose was largely related to the ability to change jobs and health insurance without losing coverage or impacting medical care, the HIPAA Privacy and Security Rules are very relevant for the IT side of the house. Compliance with the privacy rules went into effect in 2003 – along with it the definition of Private Health Information (PHI) – and medical organizations became responsible for protecting “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
In 2005 HIPAA regulations got serious about “ePHI” (electronic versions of private health information) and organizations were now on the hook for adhering to additional safeguards specifically around administrative, physical and technical aspects of patient data stored electronically. When the Final Omnibus Rule went into effect in 2013 organizations were now truly on the hook for compliance and faced serious financial penalties for breaches, turning the tide for medical organizations as compliance became much less expensive than the potential fines they might face, not to mention criminal charges in more egregious cases.