No one should compromise on health and safety, and this is what HIPAA ensures.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to provide patients with better access to their health information and to regulate its protection. Over the years, HIPAA has evolved to create data breach notification requirements and determine the entities it applies to.
If you work in healthcare, people often talk about HIPAA, but what is it, and how can you meet its requirements?
The Health Insurance Portability and Accountability Act (HIPAA) describes the proper use and disclosure of protected health information (PHI), how it should be secured, and what to do in the event of a breach. The Department of Health and Human Services (HHS) regulates HIPAA, while the Office for Civil Rights (OCR) enforces compliance.
When a complaint of non-compliance is filed against a healthcare organization, the OCR investigates the organization to determine whether the claims are true. If the organization is found to have violated HIPAA, fines and corrective actions may be imposed.
The HIPAA regulation consists of three main rules. The HIPAA Privacy, Security, and Breach Notification Rules provide guidelines for healthcare organizations to share information, protect sensitive patient information, and respond to and report a breach.
HIPAA Privacy Rule primarily focuses on using and disclosing protected health information. The use and disclosure of PHI are only permitted for specific reasons, such as treatment, payment, and healthcare. Any other use or disclosure requires prior written consent from the patient.
The HIPAA minimum standard also requires that access to PHI be restricted. Access to PHI should only be granted to employees who need it for their job. This access should also be limited to the information necessary to perform their job functions.
For example, an administrative assistant might need access to some patient information to schedule an appointment. This employee would likely need to know the patient's name, contact, insurance information, and in some cases, basic procedural information to determine the appointment's duration. They won’t need access to the full patient file.
Your Notice of Privacy Practices (NPP) must clearly outline how your organization uses and discloses patient information. It also should discuss patients' rights concerning their information. Patients should be provided with an NPP for review upon intake.
Patients' rights (HIPAA right of access) are also addressed in detail in the Privacy Rule. The HIPAA Right of Access standard requires healthcare providers to provide patients with access to their medical records upon request. Requested records must be made available to the patient within 30 days of the request. Patients also have the right to receive their records in the format they requested when applicable.
The HIPAA Security Rule requires that PHI's confidentiality, integrity, and availability be maintained. Essentially, this means that healthcare organizations must protect the privacy of PHI and prevent its alteration or destruction without authorization. HIPAA safeguards help achieve optimal data security.
HIPAA safeguards are administrative, technical, and physical measures taken to prevent unauthorized access, use, or disclosure of PHI.
Administrative safeguards are policies and procedures that provide employees with guidelines for properly using and disclosing PHI. They also outline HIPAA training and security risk assessment requirements for employees.
Technical safeguards are measures to protect electronic PHI (ePHI). Common examples of technical safeguards include encryption, user authentication, access controls, and audit controls.
Physical safeguards, such as locks and alarm systems, protect an organization's physical location.
The HIPAA Breach Notification Rule requires covered companies and business associates to report PHI breaches.
Not all incidents are breaches. Common examples of breaches include hacking incidents, unauthorized access to PHI, disclosure of PHI to an unauthorized party, theft or loss of paper records, and theft or loss of unencrypted portable electronic devices.
For example, theft or loss of an encrypted laptop is not a breach as the information cannot be accessed. If the information on the laptop wasn't secure and became accessible to unauthorized persons, it would be a breach.
Patient data breaches are mandatory to be reported. The breached organization must notify the affected patients in writing within 60 days of the discovery of the incident. Organizations must also report the breach to the Department of Health and Human Services (HHS).
If the incident affects fewer than 500 patients, organizations have up to sixty days after the end of the calendar year to report it to HHS. If the incident affects 500 or more patients, organizations must report it to HHS 30 days after discovery. Violations affecting 500 or more patients must also be reported to the media.
HIPAA protects patient information, known as Protected Health Information (PHI). PHI is defined as any individually identifiable health information associated with the past, present, or future provision of health care.
Electronically protected health information (ePHI) is PHI stored in an electronic format, such as on a laptop or in an electronic health records platform. ePHI must also be protected under HIPAA.
The Department of Health and Human Services (HHS) classifies protected health information into 18 unique identifiers. Each of the 18 identifiers is considered a PHI if it’s associated with the provision of health care services.
Source: Compliancy Group
The following are the 18 HIPAA identifiers:
A common misconception is that HIPAA applies when health information is accessed or disclosed. While HIPAA restricts the use and disclosure of PHI, HIPAA only applies to organizations involved in treatment, payment, or healthcare operations. These organizations are called "covered entities" and "business associates".
Organizations with the potential to access PHI or ePHI must be HIPAA compliant.
Covered entities include healthcare providers, insurance companies, and clearing houses. Doctors, dentists, mental health professionals, chiropractors, and health insurance providers are all covered entities.
Business associates are vendors contracted by a covered entity that may have access to PHI. Electronic health record (EHR) platforms, email service providers, online appointment schedulers, and managed service providers are common examples of business associates.
HIPAA compliance involves several steps. It’s rather a pass or fail. You’re compliant, or you’re not. You need to meet the requirements of each step to be HIPAA compliant and complete some of these requirements annually.
Source: Compliancy Group
Security Risk Assessments (SRAs) are essential to meeting your HIPAA requirements. To be HIPAA compliant, you must complete a HIPAA Security Risk Assessment annually. This is because SRAs measure your current protections against HIPAA standards. A gap occurs when your current work isn’t sufficient to meet HIPAA standards.
“Gaps” are deficiencies that can result in HIPAA breaches and violations. This is where remediation plans come into play. Remediation plans create actionable steps to close compliance gaps. To be effective, remediation plans must be specific, including what will be done to close the gap, who’s responsible for remediation, and a timeline for remediation.
Policies and procedures must be designed with the three HIPAA rules in mind. Policies and procedures should adapt to the type and size of an organization and be reviewed and updated annually to be effective.
Policies and procedures outline:
In the past, organizations have used HIPAA manuals for their policies and procedures. However, because HIPAA manuals are out of the box, they fail to address the nuances of how your organization operates.
Policies and procedures appropriate for a small medical practice may not be effective for a large hospital group, just as policies and procedures written for a covered entity may not be applicable to a business associate.
Employees with potential access to PHI or ePHI need to be trained annually. Training should include HIPAA best practices, an overview of your organization's policies and procedures, and cybersecurity best practices.
HIPAA advises that employees should be trained when they’re hired, so holding a training course once a year isn’t enough. A flexible HIPAA employee training program is essential to meet training needs.
Using an online training tool is the best way to achieve this. With an online training program, employees can be assigned training when needed, complete their training at their own pace, and administrators can track employee progress.
Tip: Using a standalone HIPAA training program can help you meet some HIPAA training requirements, but be sure that employees are also trained on your organization’s policies and procedures.
HIPAA business associate agreements (HIPAA BAAs) are legal contracts that must be signed between a covered entity and its business associate (or between two business associates). HIPAA BAAs should be signed before exchanging PHI or ePHI. Not every vendor is willing or able to act as a business associate; if the provider doesn’t sign a BAA, it cannot fulfill any business associate duties.
Let’s say you’re looking for an online appointment scheduler that allows patients to book their own appointments. You find a vendor that meets your administrative needs, but it doesn’t want to sign an affiliate agreement. You cannot contract with this provider for patient scheduling until they sign a BAA.
Part of HIPAA compliance is implementing a tested incident response plan. You can quickly identify, respond to, and report incidents with an incident response plan. Organizations with a tested incident response plan dramatically reduce the time it takes to recover from an incident while lowering its costs.
While many breaches result in HIPAA violations, the breach itself is never the reason a company is fined. HIPAA violations occur when an organization fails to comply with HIPAA standards. HIPAA fines may be imposed based on the severity of the violation.
Source: Compliancy Group
Common examples of HIPAA violations include failure to:
So, when would an organization be fined for a violation?
HIPAA fines are issued based on the level of perceived negligence.
Organizations found violating HIPAA are often subject to OCR monitoring and corrective action. Corrective action plans are developed by OCR upon completion of HIPAA violation investigations when organizations identify deficiencies. They’re designed to prevent further violations and incidents by aligning the organization's compliance program with HIPAA standards.
The Health Insurance Portability and Accountability Act should be a top priority for any organization involved in healthcare (covered entity or business associate). Simply put, to work in healthcare, you must be HIPAA compliant.
Without HIPAA, patient data is vulnerable to unauthorized use and disclosure. When a breach occurs, patients not only lose confidence in an organization's ability to protect their confidential information, but it can also result in HIPAA violations and costly fines.
By implementing an effective HIPAA compliance program that meets all HIPAA standards, you improve your overall security posture and reduce the likelihood of breaches and violations.
Patients are now more aware of HIPAA and their rights. HIPAA compliance gives them peace of mind that they can trust you with their sensitive information.
Privacy management doesn't end with obtaining one type of compliance. Know everything about data privacy management and keeping your organization secure.
Healthcare compliance can be complex and confusing. But you can simplify achieving and maintaining it with healthcare compliance software.
Whether you are a hospital, private clinic, ancillary health care services provider, or...
by Jasmine Lee
Do you know the current health of your compliance program?
by Lauren Pope
Data privacy can make or break your business.
by Robert Agar
