Comprehensive Compliance with HIPAA Part 164

Although HIPAA has been in effect for over two decades, compliance with the law is still not a straightforward task. Many still lack the appropriate measures applicable to their organisation or are unsure of how to comply with all of the HIPAA Rules set out in Part 164. Alyne's technology can facilitate this process, and offers a comprehensive mapping of Part 164 of the HIPAA regulation, covering the provisions of the HIPAA Data Privacy, Security Controls and Breach Notification Rules.

HIPAA Compliance

Although the Health Insurance and AccountabiIity Management Act (HIPAA) was first enacted into law in 1996, compliance still remains an often challenging task, leaving many Covered Entities and business associates lacking the appropriate measures and still unsure of how to comply with all HIPAA Rules set out in Part 164. The law was designed to provide consumers with greater access to healthcare insurance, reduce fraud, protect the privacy and security of healthcare information and promote efficiency and standardisation within the sector. The HIPAA regulations apply to any Covered Entities which handles health or healthcare-related data, including financial clearinghouses, and any provider that uses or transmits Personal Health Information (PHI).

According to a report by Research and Markets, the global mobile health app market is expected to hit US$134.7 Billion by 2027. In fact, two-thirds of the world’s largest hospitals offer mobile apps to their patients. With the rise of telehealth, the need for data security in the healthcare space has increased the use and sharing of patients' Electronics Health Record (EHR).

The proliferation of digital technologies has changed the way that many healthcare providers operate. As efficiency and connectivity increased, so did the storage and transmission of key pieces of confidential health information, mandating an even greater need for the security and privacy of patients' information. HIPAA regulates the security, privacy and protection of Personal Health Information (PHI) held by the covered entities and third parties, and provides individuals with rights to understand and control how their health information is used or disclosed.

Alyne's Comprehensive Coverage of HIPAA Part 164

When working to achieve compliance with HIPAA, companies often focus exclusively on § 164 Subpart C (Security Standards). Technically, to ensure full compliance with HIPAA, Covered Entities will need to also apply the rules set out in § 164 Subpart D (Breach Notification) and § 164 Subpart E (Privacy Aspects). 

Alyne’s coverage of HIPAA primarily focuses on Part 164 of the regulation, which covers the HIPAA Security and Privacy rules. The HIPAA Privacy Rule (Subpart E) focusses on allowed and prohibited uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) along with data subject rights. Additionally, the Security Rule (Subpart C) is the security standard for the protection of PHI, defining both technical and non-technical requirements for safeguarding health information. 

HIPAA Privacy Rules

The HIPAA Privacy Rule (Part 164 Subpart E) focusses on the many uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) with data subject rights. This includes medical records and other personal health information, and it applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically. 

HIPAA Security Rules

The HIPAA Security Rule (Part 164 Subpart C) is the security standard for the protection of electronic PHI (e-PHI). This set of rules ensures that there are both technical and non-technical safeguards (which include administrative and physical) to ensure that ePHI is transmitted and handled in a secured and responsible manner. 

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule (Part 164 Subpart D) requires Covered Entities and their Business Associates to notify affected individuals and the media of a breach of unsecured PHI. Depending on its severity, if the data breach affects 500 and more individuals, the Secretary of Health and Human Services has to be informed no later than 60 days following the breach.

Technology can be a great facilitator to help simplify requirements, provide greater risk transparency, educate and train employees, and even act as a centralised source of data, alleviating pressure from the audit process. Are you interested in learning more about Alyne's capabilities and comprehensive mapping of Part 164 of the HIPAA regulation?

Download HIPAA Whitepaper here or speak to an Alyne Expert in your region.

Bayley Benton

Related Posts

Alyne & LeanIX: A Powerful Integration for Better Governance, Risk and Compliance

Alyne’s GRC SaaS Solution and LeanIX’s Enterprise Architecture Suite, two cloud-native organisations, have joined forces with a powerful integration, driving capabilities across four use cases: Technology Risk Management, Operational Resilience, Financial Services Compliance and IT Governance. Download our latest White Paper to understand more about the value that this cutting-edge integration can provide to your organisation.

ESG Risk Management in Alyne

While no single framework has emerged as the industry standard for ESG risk management, there are different relevant classifications and approaches. Alyne's ESG Risk Framework is mapped to various expert sources, and combines powerful technology to enable you to assess, identify and analyse risks, and report on ESG programs. Access our White Paper to learn more about delivering cutting-edge ESG Governance, Risk and Compliance (GRC) capability across your enterprise.

Internal Control Frameworks and Meeting ICFR Requirements

In order to be compliant with SOX and to meet ICFR requirements, organisations are required to create controls that cover a large scope of IT and financial aspects, all tailored to their unique organisational structure. Leading organisations point to frameworks such as COBIT and COSO and even a combination of the two, to adopt in your quest for SOX and ICFR compliance. Alyne's Content Library goes beyond providing IT and Information Security related Controls and now contains extensive coverage of Financial Controls focused purely on the financial integrity of an enterprise.