Who Must Comply
Any organization that transmits Protected Health Information (PHI) in electronic form, which includes health plans, health care clearing houses, and health care providers must achieve HIPAA Law compliance.

What You Must Do
There are two major provisions that you must comply with:

A. HIPAA privacy rule: Effective April 14, 2003
Certain provisions of the privacy rule allow for “reasonable efforts” to be made in achieving HIPAA Law compliance in regards to the privacy of PHI. “Reasonable efforts” is a fuzzy concept and large health care organizations must be aware that they will be held to a higher standard than smaller organizations.

1. Limit the acceptable uses and disclosure of PHI
2. Notify individuals of their rights under the HIPAA Law
3. Develop written policies and procedures relating to use and disclosure of PHI
4. Train each member of the work force concerning the HIPAA Law

B. HIPAA electronic data security rule: Effective April 21, 2005 This rule covers all PHI electronically maintained and transmitted.

1. Electronic PHI must be kept secure when at rest and in transit
2. Analyze security risks
3. Implement HIPAA procedures for each security standard

How You Must Do It
To retire IT assets, electronic media that contains PHI must have the PHI destroyed in such a manner that it “can not be practicably read or reconstructed.” Organizations must implement a procedure that minimizes any risk of lost electronic PHI. Organizations choices are either to perform proper data destruction in-house or to use a data destruction service. If the organization chooses to perform the data destruction in-house, it must have procedures in place to provide ongoing evaluation and maintenance of the process. If the organization decides to use a data destruction service, it must have a “Business Associates Contract” signed and “due diligence” documentation supporting the vendor’s data destruction service.