The Health Insurance Portability and Accountability Act of 1996 is a law. The law was passed in 1996, and mandated that DHHS draft specific regulations to facilitate compliance with the law's provision (Administrative Simplification; Privacy; Security; Unique Identifiers; etc.)
All HIPAA compliance efforts should be documented and memorialized in some fashion.
Covered Entities include those healthcare providers, health plans, and healthcare clearing houses that transmit information electronically, in accordance with the Electronic Transactions Standard. Once deemed "covered," these entities are subject to the Privacy and Security regulations, regardless of the form of the "protected health information."
HIPAA is TECHNOLOGY-NEUTRAL: No specific technology is required for compliance, and the regulations were drafted to be scalable to each covered entity's individual needs.
Third parties (vendors, industry partners, business associates, etc.) are not directly regulated under HIPAA (unless they are also "covered entities"). The burden befalls the "covered entity" to obtain assurances that third parties with access to protected information will maintain the appropriate levels of privacy and security.
No private right of action exist under the HIPAA Regulations. However, state law claims (breach of privacy, breach of duty, negligence, etc.) may be bolstered by evidence of non-compliance with the Federal Regulations.
Organization-wide education is crucial to compliance efforts. Don't underestimate the power of adequate and appropriate training.
Keep track of compliance dates and implementation deadlines. Because of the dynamic nature of the regulations, this specific task should be assigned to someone in each organization. Keeping up to date with the changes and proposed modifications will also be a good measure of the industry response to the regulations, and may provide guidance with respect to implementation efforts.
Seek inter-industry assistance with compliance efforts. Compliance efforts should include internal assessments, regardless of outside assistance. Achieving compliance will require more than outside "certification," and is an organization-wide effort. Seeking compliance and implementation assistance may be helpful, but such measures will serve limited purposes. An "internal" understanding and practical application and use of policy and process modifications will require internal change. Compliance efforts should, however, include industry partners, with respect to acquiring knowledge, training, technology, where appropriate, and additional assistance.
HIPAA does not necessarily preempt state laws. The regulations were drafted to work in conjunction with State Privacy and Security Laws/Regulations. More stringent state privacy and security laws will remain in effect. Seek assistance from internal or outside counsel to avoid redundant and unnecessary compliance efforts, and to ensure proper measures are taken to achieve compliance with the Federal Regulations.