What is HIPAA Compliance, and Why Is It Important?
You must be aware of the fact that our sensitive health data is stored in the electronic format, which is, as well as the other stuff found in the cloud, prone to potential breaches.
However, that doesn’t mean that organizations that deal with protected health information should leave things to chance – instead, all of them must have a physical, network, and process security measures in place and adhere to the rules of the HIPAA compliance.
HIPAA regulations refer to anyone who provides treatment, payment, and operations in healthcare, as well as to those who have access to patients’ sensitive data.
Many people find the HIPAA concept a bit complicated, which is why we’re going to provide some further explanations about its rules, definition, and importance.
What Does HIPAA Stand For?
HIPAA stands for The Health Insurance Portability and Accountability Act, and it sets the standards that apply to the protected health information (PHI), which is usually a patient’s blood test results or appointment dates.
If your organization follows the rules and subsequent amendments set in the mentioned Act, you can say that you’re HIPAA compliant. HIPAA compliance requires you to protect all the ePHI (Electronic Protected Health Information) that is received, created, maintained, or transmitted within your organization.
Apart from the question regarding HIPAA definition, many people want to know who enforces HIPAA – the answer is, Department of Health and Human Services’ Office for Civil Rights (OCR).
Who Needs to Be HIPAA Compliant?
According to HIPAA regulations, the following groups of organizations must be HIPAA compliant:
All the organizations that collect, create, or transmit PHI electronically are considered covered entities. That can be hospitals, academic medical centers, physicians, and other institutions, organizations, or people who perform the actions mentioned above.
The covered entities include the following:
- Health Plan: This can be an individual or group plan that provides or pays the cost of medical care. A group plan consists of an employer or association that offers coverage for the costs of your healthcare, while the individual plan is often purchased with the guidance of an insurance agent.
- Health Care Clearinghouse: Clearinghouses are the companies that function as intermediaries who forward claims information from a healthcare provider to insurance companies or agencies. The task of clearinghouses is to check the claim for errors and determine whether the entire procedure is valid.
- Health Care Provider: This is a person who provides medical or health services, but also any other person who furnishes, bills, or is paid for healthcare during the ordinary course of business.
- Health Care: It includes all care providers, services, or suppliers who’re in charge of the health of an individual, including preventive, diagnostic, therapeutic, any other procedure regarding physical or mental condition, as well as those who are responsible for sale or dispensing a drug, device, equipment, or other items in accordance with prescription.
HIPAA regulations define business associates as people or organizations that perform specific functions or activities (handling, transmission, and processing) that involve the use of the PHI or provide services to some of the covered entities.
Among the most common examples of business associates are billing companies, practice management firms, third-party consultants, EHR platforms, IT providers, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and more.
Besides, all the employees, volunteers, and trainees of a covered entity or a business associate, as well as any other person who’s under the “direct control” of the organization are obliged to follow the HIPAA guidelines, no matter if they’re paid or not,
What are the Most Prominent HIPAA Rules?
The Health Insurance Portability and Accountability Act was signed in 1996, but it has been changed and expanded a lot since then. Still, the following rules are the ones you should be aware of:
HIPAA Privacy Rule
HIPAA Privacy Rule sets the national standards for patients’ rights to PHI, and it applies to covered entities only. Upon request, the covered entities mentioned earlier must disclose PHI to the individual within 30 days as required by law enforcement.
Here are some of the HIPAA privacy rule regulations:
- If the court requests the disclosure of the PHI to law enforcement, covered entities may do it.
- Covered entities may reveal the PHI if that facilitates the treatment, payment, or health care, and they can do it without a patient’s written permission.
- Any special disclosures of the PHI require the cover entity to have prior written permission.
- Once a covered entity discloses the PHI, it must make a reasonable effort to share the minimum essential information.
- According to the Privacy Rule, the individuals have the right to demand that a covered entity correct any inaccurate PHI and ensure the confidentiality of their communication.
- Covered entities must notify individuals of their PHI use, keep track of disclosures, and document all privacy policies and procedures.
There are more regulations regarding the right to access the PHI and relative disclosure, and they mostly treat the concepts of authorization and right to reveal the patient’s information to someone else.
What to do to make sure you’re HIPAA Privacy compliant:
- Respond immediately: As mentioned earlier, HIPAA gives you 30 days to consider the patient’s request to access their PHI.
- Put together an NPP: NPP (Notice of Privacy Practices) provides a user-friendly explanation of an individual’s rights regarding their health information and privacy of their health plans. Make sure you put it together to inform patients and subscribers about data sharing policies officially.
- Educate your staff: It’s critical to train your staff and explain to them what data can and cannot be shared.
- Obtain permissions: Make sure you obtain all the necessary permits from patients to use ePHI for research, fundraising, marketing, or other things that require its disclosure.
- Update your copies regularly: The authorization forms should include the references to changes in the treatment of school immunizations, ePHI restrictions in disclosures to health plans, as well as the right of patients to access their electronic records at any time.
HIPAA Security Rule
The HIPAA Security Rule complements the regulation above, and it requires physicians to protect patients’ ePHI by using appropriate administrative, physical, and technical safeguards to establish confidentiality, integrity, and security of this critical information.
All covered entities must assess their security risks, even if they use a certified electronic medical record (EHR) technology, and they must follow all the administrative, physical, and technical safeguards in order to be compliant with Security Rule.
According to HIPAA, administrative safeguards are policies and procedures that set out all that a covered entity does to protect its PHI. These requirements include training and procedures for employees of the entity, no matter if they have direct access to the PHI or not.
What to do to make sure you’re compliant to administrative safeguards:
- Assess your risk: It’s important to perform a comprehensive risk assessment for all health data to identify every area in which ePHI is being used and to define every possible way in which breaches of ePHI could occur.
- Introduce a risk management policy: According to HIPAA Journal, the risk assessment must be repeated in regular time intervals having in mind the measures introduced to minimize the risk to an appropriate level. You should also include a sanctions policy for employees who fail to comply with HIPAA law.
- Train your employees: Include training to ensure your employees are aware of the policies and procedures that control the access to ePHI, and to make sure they know how to identify malicious software and cyberattacks. Don’t forget that all training must be documented.
- Control the unpredictable situations: You should implement a contingency plan that would enable the continuation of important business procedures. It should protect the integrity of ePHI at the same time, while the organization works in emergency mode.
- Test the contingency plan: In addition to the previous requirement, you should perform regular testing of the contingency plan o assess the criticality of particular applications. Besides, there must be accessible backups of ePHI and other vital procedures to restore the data in case of an emergency.
- Block unpermitted access: Make sure that unauthorized parent organizations and subcontractors can’t access the ePHI, and that Business Associate Agreements (BAAs) are signed by the partners that will have access to the sensitive health information.
- Report security issues: You should report all the security incidents that happen before the actual hack. You can stop them before they perform some severe actions that could affect the data, and your staff should reorganize and report the entire malicious procedure.
Physical safeguards involve access both to the physical items of a covered entity and its electronic equipment, which means that neither ePHI nor the computer systems in which it’s stored should be available to an unauthorized source.
What to do to make sure you’re compliant to physical safeguards:
- Take control over facility access: Control who has physical access to the ePHI location and make sure the procedures include safeguards to prevent any unauthorized physical access. Pay special attention to engineers, repair people, and cleaners.
- Manage workstation policies: Create a plan that determines which workstation can access health data, describes how a screen should be protected from third-party sources, and explains the proper workstation use.
- Protect mobile devices: If users have access to ePHI right from their mobile devices, you need to create a policy that determines the steps of removing the ePHI from the device of a user who leaves the organization.
- Monitor servers: Your organization must maintain an inventory of all the hardware you have and use, which is why you shouldn’t forget to copy all the data before you move servers.
Technical safeguards are aimed at technology, policies, and procedures for its use. They protect ePHI and control access to it, which often makes them the most challenging regulations to comprehend and implement.
According to technical safeguards, ePHI must be encrypted to NIST standards once it’s found inside the organization’s internal firewall servers. That way, all the confidential patients’ data will be unreadable, undecipherable, and unusable in case of a data breach.
What to do to make sure you’re compliant to technical safeguards:
- Implement the right measures of access control: Apart from assigning a centrally-controlled user name and password for each user, you should create procedures that control the release or disclosure of ePHI during the case of an emergency.
- Authenticate ePHI: The ePHI authentication is vital because it protects data from being compromised and executed incorrectly.
- Allow encryption and decryption: Make sure you implement the tools that allow you to encrypt messages when sent beyond an internal firewalled server and decrypt them as soon as they’re received.
- Enable activity logs and audit controls: The audit controls help you register the attempted access to ePHI and record what is done with data when it’s been accessed.
- Enable automatic logoff of PCs and other devices: Thanks to this feature, all the authorized personnel will be logged off of the device when they’re not using it – that way, any unpermitted access will be blocked when the device is unattended.
HIPAA Breach Notification Rule
Breach Notification Rule includes a set of standards that both business associates and covered entities should follow in case of a data breach that contains PHI or ePHI.
A data breach is an impermissible use or disclosure under the Privacy Rule that puts at risk the security or privacy of PHI, and you are obliged to notify affected individuals in case of unauthorized access to their sensitive health information.
The notifications must be delivered with no unreasonable delay and no later than 60 days from the breach date. If it’s about smaller breaches that affected fewer than 500 people, the notifications can be submitted to HHS (Department of Health and Human Services) annually.
If you can demonstrate that the PHI hasn’t been compromised, then it’s presumed that there’s a low probability of the breach. You can prove it based on the following risk assessment factors:
- The nature of the PHI involved, as well as the types of identifiers of re-identification
- The unauthorized individual who used the PHI or to whom it was disclosed
- Whether the PHI was acquired or viewed
- The level to which the risk to the PHI has been mitigated.
HIPAA Omnibus Rule
The primary purpose of the HIPAA Omnibus Rule is to address a number of areas that had been omitted during the previous updates to HIPAA. It brought some changes to definitions, clarified procedures and policies, and expanded the HIPAA compliance checklist to cover business associates and their subcontractors.
This rule proclaims that all business associates must be HIPAA compliant, and it outlines the laws of the Business Associate Agreements (BAAs), which are the contracts that must be executed between a covered entity and business associate, or two business associates before any PHI or ePHI can be transferred or shared.
The Omnibus Rule has made some vital changes to HIPAA standards, especially to those that treat violations and unauthorized data exposure. For instance, the significant change was to hit healthcare providers with higher penalties, raising the maximum fine to $1.5 million for a single violation – that said, the new rule gives its best to protect patients’ privacy and safeguard their sensitive health information.
What to do to make sure you’re HIPAA Omnibus compliant:
- Update BAA: It’s essential to update the old Business Associate agreements if you want to take the Omnibus Rule into account.
- Send new copies of BAA: You must get signed copies of a new BAA, and they must incorporate the Omnibus information to stay compliant.
- Modernize the NPP: NPP must be regularly updated with the information about authorization, and other vital things that cover the privacy and safeguards.
- Complete your training: You need to make sure that your entire staff goes through the appropriate training that includes all the Omnibus Rule adjustments.
How to Become HIPAA Certified?
If you want to obtain a HIPAA certification, you can do it through an outside training organization – typical certification includes one or more levels of HIPAA Awareness, Security, Privacy, Administrator, and Transaction certificates, depending on a training provider.
- Choose a proven HIPAA training company: Go for a company that offers certification credentials at the training that you want. Depending on your choice, the course will include either basic or more in-depth sessions.
- Attend the training: You can choose between online and on-site classes, but many training companies also offer to come to your place or office, if you need to train a large number of employees.
- Take a test: You’ll need to take a final test at the end of the course, and once you pass it, you’ll get a certificate. However, some companies will give you certificates without examination.
- Visit the HHS website periodically: Make sure you visit the site of the U.S. Department of Health & Human Resources regularly to keep track of changes and modifications regarding HIPAA rules.
What are the Most Common HIPAA Violations and How are They Treated?
As we’ve already mentioned, the Breach Notification Rule requires you to report any possible exposure of PHI, no matter if the data is stolen, lost, or compromised in some other way.
Despite the multi-layered cybersecurity protection, data breaches are still quite common and mostly unpredictable. Healthcare organizations are being targeted by hackers very often, and it’s usually not possible to implement the insuperable defense.
That said, being HIPAA compliant doesn’t ensure the entirely safe tech environment for healthcare organizations, but it can significantly reduce the risk of cybersecurity incidents. Breaches are not always a result of HIPAA violation, but some of them can come as a consequence of disrespect for the HIPAA law.
Here comes the list of the ten most common HIPAA violations that can be pernicious for healthcare organizations:
1. Peek at Healthcare Records
Accessing the patients’ health records for reasons that are not listed in the Privacy Rule is the most common type of HIPAA violation.
Employees tend to snoop at the records of their families, neighbors, and even celebrities, and such violation usually results in termination of employment, but also in criminal charges for the employee who breaks regulations.
As for financial penalties, they are not that common, but there were some cases where the organization had to pay more than $500.000 for unauthorized access to medical records of their patients. Some healthcare providers ended up in federal jail for jeopardizing patients’ privacy.
2. Lack of Organization-Wide Risk Analysis Performance
If organizations fail to perform the risk analysis, they won’t be able to detect any vulnerabilities regarding PHI’s integrity, confidentiality, and availability.
Therefore, any neglected risks and malicious activities open the door for hackers and cyberattacks that can put the patients’ data in danger, and such violation results in a financial penalty, which can cost even $2.7 million.
3. Failure to Perform a Risk Management Process
It’s essential to perform a risk analysis regularly, but that’s not a process you do for the sake of it. That said, all the risks and potential threats you find during the analysis must be identified and subjected to a risk management process in a reasonable time frame.
If you fail to address the risks you know that exist inside the system, that means that you violated the terms and conditions of HIPAA, and you’ll end up paying even $1.7 million for the penalty.
4. Negligence to Enter a HIPAA-Compliant BAA
If your organization doesn’t enter into a HIPAA-compliant business associate agreement with all vendors that are granted access to PHI, you are violating the HIPAA rules. That said, even if BAAs are held for all vendors, they still may not be HIPAA compliant, especially if they haven’t been revised after the Omnibus Rule.
Some organizations had to pay $1.55 million for a financial penalty for breaking this regulation.
5. Not Enough ePHI Access Controls
It’s quite common that covered entities and business associates fail to implement adequate ePHI access controls, which means that they don’t limit access to authorized staff only, but they grant it to everyone.
Such violation of the HIPAA Security Rule includes a financial penalty that goes from $1.6 million to even $16 million.
6. Failure to Encrypt or Implement Equivalent Measure to Protect Data on Portable Devices
The encryption of ePHI is one of the most efficient ways of preventing data breaches and its exposure to the wrong hands. Still, if encrypted data gets stolen somehow, you don’t need to report it unless the decryption key is also taken.
Although HIPAA doesn’t require you to use encryption, you shouldn’t ignore it – you must use another equivalent security measure that will protect data found on your portable devices.
If you fail to encrypt data or protect it in some other way, you may face the fines that go from $650.000 to $3.2 million.
7. Exceeding the 60-Day Deadline for Reporting Breach Notification
According to the regulations listed in Breach Notification Rule, covered entities must provide notification about data breaches within 60 days from the occurrence without unnecessary delay.
If covered entities exceed the given time, it’s assumed that they violated the HIPAA compliance, and they need to pay about $140.000 for the fine.
8. The PHI Disclosure Without Necessary Permissions
The HIPAA Privacy Rule determines the situations when the PHI can be disclosed, and under which conditions and any disclosure that’s not listed there is considered a severe violation.
The most common violations include disclosing the PHI to a patient’s employer, potential disclosures that come as a result of theft or loss of unencrypted computers or laptops, negligent handling of PHI, its unnecessary exposure, not following the minimum necessary standard, and disclosure of PHI after the patient’s permission has expired.
The cost of a penalty for this infraction is about $2.4 million.
9. Inadequate Disposal of PHI
When both physical and electronic PHIs are no longer required and retention periods have expired, HIPAA requires you to destroy the information securely and permanently.
Physical (paper) records could be shredded or pulped, while the ePHI involves destroying the electronic devices on which it used to be stored – that way, the unauthorized disclosure will be stopped.
In case of improper PHI disposal, organizations will need to pay even $800.000.
10. Rejecting Patients’ Request to Access Health Records
Patients have the right to access their medical records and obtain copies on request, which means that they’re allowed to check the data for errors and share them with other entities and individuals.
If healthcare providers refuse to give patients copies of the record, if they overcharge for them or fail to issue them within 30 days, they violate the HIPAA rules, which provide patients with full access to their medical data.
The fine for breaking these rules costs about $4.3 million.
The other common violations include emailing the PHI to personal email addresses, leaving portable devices or paperwork unattended, revealing patient’s information to an unauthorized person and without adequate authorization, downloading PHI to unlicensed devices, etc.
Secure Networks ITC – Your HIPAA Compliance is Our Concern
The violations mentioned earlier often arise due to the lack of knowledge and understanding of HIPAA regulations, which are quite comprehensive.
The cybersecurity experts from Secure Networks ITC will take care of the entire process of becoming HIPAA compliant, focusing on creating a strategy for meeting broad requirements for protecting PHI stated in the Security Rule.
The task of San Diego IT support team is to provide confidentiality and availability of ePHI and protect it from threats, hazards, unauthorized use, and disclosure. Don’t wait until the last minute and contact us at 858.769.5393