An Introduction to the HIPAA Survival Guide
The HIPAA Survival Guide attempts a "forest from the trees" overview of the both the HIPAA Privacy Rule and the HIPAA Security Rule. The genesis of these rules is covered in the HIPAA and HITECH Act Background section. This Survival Guide only targets a subset of Covered Entities, namely providers. Furthermore, the HIPAA Survival Guide focuses mostly on small providers, since this group will clearly be the most challenged by new laws and regulations, especially if their baseline understanding of HIPAA is lacking.
The HIPAA Survival Guide was developed as a collaborative effort between an attorney and a registered nurse, both licensed in the State of Florida. In addition the authors, both individually and collectively, have significant technology experience. However, neither author had significant HIPAA experience prior to this effort, although both had compliance experience in other industries. For personal and professional reasons, the need arose to acquire a much deeper understanding of HIPAA, especially in light of the recent nationwide initiatives of the Obama administration regarding electronic health records.
We have made a serious effort to provide a "map of the territory." That somewhat modest objective, standing alone, was nearly all that we could chew. In short, we feel that we need to warn readers at the outset, prepared to be overwhelmed. The HIPAA Survival Guide is not intended to be read in one sitting. We recommend that you proceed in manageable chunks. While the intent was to provide practical advice, building the map required covering significant terrain. HIPAA compliance is a serious matter, but for the sake of our own sanity (and yours) we attempted to interject a little humor along the way.
The privacy and security issues that HIPAA addresses are important public policy considerations, but having gone into the "belly of the whale" we also recognize the challenges providers face as they grapple with this immensely complex piece of legislation.
As a practical matter (i.e. as opposed to a question of law), HIPAA compliance exists along a continuum; this is the tension that almost always exists between "rule and reality." A simplistic way to describe this continuum is shown below:
Obviously, the further along you are in the continuum the better your "good faith" legal argument becomes, if/when you may be required to articulate one.