Recently we’ve talked about HIPAA’s rules and the general security practices every healthcare IT team should adopt. But while HIPAA has been around for almost twenty years, some healthcare IT professionals are still unclear of the impact on their organizations.

This isn’t a surprise, when you consider that HIPAA initially lacked strong directives. While it contained some good wisdom on protecting the privacy of health and medical information, as a whole it wasn’t that actionable until HITECH was created in 2009 and put the Office of Civil Rights (OCR) in charge of enforcing it. The OCR published audit protocols and last year, the Omnibus Rule clarified some aspects based on HITECH audit findings.

There’s no doubt that these recent changes have been helpful. Still, when it comes to understanding the nuts and bolts of how HIPAA directly impacts operations, many organizations have questions.

Your Organizational Impact

One of the most frequent questions healthcare IT professionals ask is, “So what part of my organization is affected by HIPAA?” The answer is: all of it.

That might not be what you want to hear, but it’s the truth – and it’s important to know. Your entire organization is impacted by HIPAA policies and requirements. We talked earlier about the Security, Privacy and Breach Notification Rules, for instance. Think about how those influence your daily operations and you’ll understand how extensive and wide-reaching HIPAA requirements can be.

Start with accounting, for instance, and the sensitive billing and medical information that passes through those departments, from diagnostic codes to procedure information. HR and internal communications teams will need to be involved in developing and launching compliance policies and training programs; customer service representatives will likely handle regulated data. Records retention will be important, as well.

Even your marketing team is influenced by HIPAA. The Federal Trade Commission (FTC) has specific rules on what can and can’t be said in marketing and communications, such as guidelines designed to combat deceptive advertising and false claims. In fact, it’s hard to think of any staff, from a front desk clerk to an accountant, who won’t need to follow correct compliance procedures in the course of their duties.

And that’s just internally. Don’t forget about your third party providers, known as Business Associates (BA) in the world of HIPAA. Your providers must meet the same requirements and protect data with the same safeguards – physically, technically and administratively. In short, HIPAA compliance is not just a legal issue or security issue; it permeates your entire organization.

Getting a Grip on HIPAA Compliance

At this point, the thought of HIPAA compliance might feel a little overwhelming. The good news is that there are a lot of helpful tools that can walk you through the right steps. My first suggestion is to think about working with an experienced consulting firm who understands HIPAA and can map out a smooth road to compliance. My second is to explore the abundance of online resources – specifically, the main Health and Human Services site, the OCR audit protocols, and resources on HITRUST and HIPAA.

My last suggestion is to check out our webinar on HIPAA Compliance 101 – Part 1, where we talk about the history of HIPAA and the Rules in greater detail.