What Is HIPAA Compliance?
…and how can we help?
What is HIPAA Compliance?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a set of regulations that specify how and when protected health information (PHI) may be used and disclosed. The Office for Civil Rights (OCR) enforces HIPAA compliance, while the Department of Health and Human Services (HHS) regulates it.
To ensure medical HIPAA compliance, the OCR regularly provides guidance on emerging matters impacting the healthcare industry and looks into frequent HIPAA infractions.
All companies that use, store, or transmit PHI are obligated legally to comply with the standards set forth in HIPAA.
What is Protected Health Information?
Protected Health Information, or PHI, refers to any information that relates to an individual’s health status, medical history, or treatment. Records of doctor visits, prescription drug details, test results from labs, insurance information, and other personally identifiable information are among the sensitive and private data that are included in this data. PHI is extremely important because information is both strictly regulated by privacy regulations and plays a vital role in patient care and healthcare operations. PHI covers all information within a patient’s medical record that can personally identify them and was created, used or shared during diagnosis or treatment.
Examples of Protected Health Information:
• Name
• Address
• Dates related to the individual (birthdate, date of death, date of service, etc.)
• Telephone Number
• Fax Number
• Email Address
• Social Security Number
• Medical Record Number
• Health Plan Number
• Patient Account Number
• License Number
• Vehicle Information
• Medical Device Identifiers or Serial Numbers
• Website URLs
• IP Addresses
• Biometric Identifiers
• Photos including the Patient’s Face
• Any Other Unique Identifiers
What is ePHI?
Electronically created, stored, transmitted, or received PHI is known as electronic protected health information, or ePHI. The process of evaluating ePHI is governed by the rules established by the HIPAA Security Rule.
ePHI regulations apply to data stored on media and data transfer, such as:
• Personal Computers with Internal Hard Drives
• External Portable Hard Drives
• Magnetic Tape
• Removable Storage Devices (USB, CD, SD Cards, etc.)
• Smartphones and PDAs
• Email
• File Transfers
The HIPAA Privacy Rule
The HIPAA Privacy Rule grants patients rights over PHI kept by Covered Entities (CEs), federal safeguards for that information, and instructions for healthcare companies on how to safeguard PHI. The Privacy Rule permits PHI to be shared in connection with patient treatment, but it also imposes stringent requirements on how that data must be kept secure and intact while it is being processed or maintained. The Rule contains specific procedures that call for extensive administrative, physical, and technical safeguards in order to guarantee that PHI’s security, confidentiality, and integrity are appropriately preserved. When handling protected health information, safeguards are essential. Organizations must take steps to guarantee PHI’s availability, confidentiality, and integrity.
Safeguards include, but are not limited to:
• Data Encryption
• Firewalls
• Antivirus Software
• IDS (Intrusion Detection Systems)
• Regular Backups
Restricting PHI access is also a requirement of HIPAA. Using the concept of least privilege, employers should limit access to just those staff members who require it to carry out their responsibilities. Access controls are necessary to stop unauthorized people from using or accessing PHI. Organizations should also have policies and procedures in place for assigning and withdrawing access privileges in accordance with job duties.
Handling PHI properly is also very important. Workers should receive training on handling PHI safely in both electronic and hard copy versions. This contains instructions on how to make secure passwords and how to notify data breaches right away. Employees are kept up to date on best practices and these practices are reinforced through regular training sessions.
HIPAA Data Storage & Cloud Storage
HIPAA regulations treat firms that store data under the law as Business Associates (BAs). The law covers both digital and physical data storage, therefore cloud storage providers are still considered business associates (BAs) even if their firm sporadically, irregularly, or never sees or examines the ePHI they keep.
Business Associate Agreements (BAAs) are required for CEs and BAs to work with HIPAA data and cloud storage services. A solid BAA should outline the technical, administrative, and physical measures that will be used to preserve the integrity of PHI in addition to clearly defining liability in the case of a HIPAA data breach.
What Companies Need to Be HIPAA Compliant?
HIPAA regulations identify two kinds of organizations that must be HIPAA compliant.
1. Covered Entities (CE): According to HIPAA regulations, any organization that generates, gathers, or transmits PHI electronically is considered a covered entity. Providers, clearinghouses, and insurers of health care are among the healthcare organizations that fall under the definition of covered entities.
2. Business Associates (BA): According to HIPAA regulations, any company that comes into contact with PHI while carrying out services it has been hired to do on behalf of a covered entity is considered a business associate. Because so many different types of service providers may handle, transmit, or process PHI, there are a ton of examples of business associates. Billing companies, practice management companies, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more are typical examples of business associates that are subject to HIPAA regulations.
HIPAA Rules and Regulations
1. HIPAA Privacy Rule: HIPAA establishes national rules for patients’ rights to PHI under the HIPAA Privacy Rule. Business associates are not covered entities under the HIPAA Privacy Rule. The HIPAA Privacy Rule specifies a number of requirements, such as the rights of patients to access PHI, the rights of healthcare professionals to refuse access to PHI, the information contained in Use and Disclosure HIPAA release forms and Notices of Privacy Practices, and more. The company’s HIPAA Policies and Procedures need to include documentation of the regulatory requirements. Every year, all staff members need to get training on these policies and procedures, along with a formal attestation.
2. HIPAA Security Rule: The HIPAA Security Rule establishes national guidelines for the secure handling, maintenance, and transmission of ePHI. Due to the possibility of ePHI sharing, the HIPAA Security Rule is applicable to both covered businesses and business associates. Any healthcare company that wants to protect electronic patient health information must have in place physical, administrative, and technical measures, as outlined in the Security Rule. The HIPAA Policies and Procedures of the organization must have details on the rule. Annual staff training on these policies and procedures is required, along with a formalized attestation.
3. HIPAA Breach Notification Rule: In the case of a data breach involving PHI or ePHI, covered entities and business partners are required to abide by a set of guidelines known as the HIPAA Breach Notification Rule. Depending on the extent and magnitude of the breach, the Rule specifies various reporting requirements. All breaches, regardless of size, must be reported by organizations to HHS OCR; however, the particular reporting procedures vary based on the kind of breach.
4. HIPAA Omnibus Rule: In addition to outlining the regulations governing Business Associate Agreements (BAAs), the HIPAA Omnibus Rule requires business partners to comply with HIPAA. Before ANY PHI or ePHI is transferred or communicated, a business associate agreement (BAA) must be signed by the covered entity and the business associate, or by the two business associates.
HIPAA Compliance Requirements
HIPAA regulations create a set of standards that covered Covered Entities and Business Associates must address.
1. Audits: HIPAA requires CEs and BAs conduct annual audits of their organization to assess administrative, technical and physical gaps.
2. Remediation Plans: Once gaps are identified, a remediation plan must be implemented to address those gaps. A proper remediation plan will include dates to indicate the completion of remediation.
3. Policies and Procedures: HIPAA Rules specify the Policies and Procedures that covered businesses and business partners must create in order to comply with the HIPAA regulatory standards. As the organization changes, these rules and procedures also need to be revised on a regular basis. Together with documented employee attestation attesting to staff members’ comprehension of and familiarity with all organization policies and procedures, annual staff training on these policies and procedures is mandated.
4. Documentation: HIPAA requires that organizations document their efforts in becoming compliant. This documentation must be available and present during a HIPAA investigation or audit.
5. Business Associate Management: To ensure PHI is handled securely and reduce liability, covered entities and business associates must both establish and execute Business Associate Agreements with any suppliers with whom they exchange PHI. Every year, BAAs need to be revised to take into consideration any modifications to the organization’s vendor relationships. ANY PHI cannot be shared until BAAs have been completed.
6. Incident Management: In line with the HIPAA Breach Notification Rule, a covered entity or business associate that experiences a data breach must have a procedure in place to record the incident and alert patients to the compromise of their data.
Seven Elements of an Effective Compliance Program
The Seven Elements of an Effective Compliance Program were developed by the HHS Office of Inspector General (OIG) to provide direction to enterprises when developing their own compliance programs or vetting compliance solutions.
1. Implementing written policies, procedures, and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action.
What is a HIPAA Violation?
Any compromise of the integrity of PHI or ePHI resulting from a breach in an organization’s compliance program is considered a HIPAA violation. A data breach is not the same as a HIPAA violation. HIPAA laws are not always broken by data breaches. When an organization’s HIPAA policies are directly violated or the breach is the result of an inefficient, out-of-date, or inadequate HIPAA compliance program, it is considered a HIPAA violation.
What Are Common HIPAA violations?
Here are a few frequent reasons for HIPAA violations:
• Lost or Stolen Computer
• Lost or Stolen Phone
• Lost or Stolen Portable Data Storage Device (ex. USB or flash drive)
• Malware Attack
• Ransomware Attack
• Hacking
• Breach of Business Associate
• EHR Breach
• Break-in at Physical Office
• Sending PHI to the Wrong Patient / Authorized Provider / Authorized Contact
• Discussing PHI outside of the Office
• Social Media Posts disclosing PHI
HIPAA Violations commonly fall into these categories:
1. Use and Disclosure – A Use and Disclosure violation occurs when a covered entity or business associate improperly distributes PHI or ePHI to an incorrect party.
2. Improper Security Safeguards – An Improper Security Safeguard violation occurs when the standards of the HIPAA Security Rule are not adhered to.
3. The Minimum Necessary Rule – The Minimum Necessary Rule applies the standard of Least Privilege, meaning only as much access as needed should be granted to each employee to perform the task.
4. Access Controls – An organization with sufficient Access Controls will limit who has access to PHI within the organization.
5. Notice of Privacy Practices – Covered entities must have a Notice of Privacy Practices available for patients to review and agree upon.
How HIPAA Consulting Group Helps You
Navigating the waters of HIPAA compliance is a full-time job. Every day, new threats emerge to take advantage of companies and organizations that create, store and transmit PHI. HIPAA Consulting Group can make sure your business or organization is fully compliant and ready for any incidents that arise.
Schedule your free consultation today and let us show you how we can be your complete HIPAA compliance solution.