HIPAA compliance for your practice revolves around protecting the privacy and security of your patients' Protected Health Information (PHI). PHI is any information that can be connected to an individual's health condition. This includes information related to an individual's past, present, or future, and physical or mental health. It also includes the provision of health care to the individual, and past, present, or future payment for the provision of health care to the individual.

There are three distinct and separate regulations under HIPAA:

1. Privacy Rule - sets national standards for when PHI may be used and disclosed
2. Security Rule - specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic PHI from circumstances such as disasters, hackers, and electronic theft.
3. Breach Notification Rule - requires covered entities to notify affected individuals and the U.S. Department of Health & Human Services (HHS).

To comply with HIPAA regulations, it is essential to determine whether your practice is a covered entity. Covered entities are health plans, health care clearinghouses, and health care providers who transmit any health information in an electronic form. An example of this is emailing MCNA member dental records.

The HHS recognizes that covered entities range in size. The Security Rule is designed to be flexible and scalable, allowing you to analyze needs and implement appropriate security solutions according to your practice size and resources. It does not dictate the exact measures you should implement, but requires you to consider:

• Your practice size, complexity, and capabilities;
• Your technical, hardware, and infrastructure;
• The costs of security measures; and
• The likelihood and possible impact of potential risks to electronic PHI.

The Office of the National Coordinator for Health Information Technology, the HHS Office for Civil Rights, and other federal agencies have developed a number of online resources that can help you better integrate HIPAA privacy and security into your practice. Visit https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers to explore these resources.

If you become aware of any unauthorized use or disclosure of Protected Health Information for an MCNA member, you are required to report such use or disclosure to MCNA within three business days of gaining such knowledge. You can report the breach to MCNA's Compliance and Privacy Officer via email at compliance_reporting@mcna.net. You can also call our Compliance Hotline at 1-855-683-6262.

Resources used in the creation of this article:

• https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
• https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• https://www.hhs.gov/hipaa/for-professionals/training/index.html
• https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers