What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act of 1996 was first created to safeguard a patient’s private health information (termed Protected Health Information, PHI), creating a requirement for HIPAA compliance for any organisation handling PHI. Initially, it was designed so that it would be easier for employees to transfer health plans between employers. However, as the health industry moved into the digital age, HIPAA became an important player in ensuring PHI is protected both on- and offline. It lays out industry-wide mandates regarding the distribution of a patient’s data, stipulating that whenever data is shared, the minimum amount of information must be transferred.
Healthcare professionals and business associates alike usually receive extensive training in HIPAA compliance. This is, in part, due to the vague wording of HIPAA. The intention of this was to ensure that HIPAA protected PHI under a variety of situations, covered entities (CEs) and Business Associates. It also ensured that, even as technologies progressed, HIPAA would not need to be continuously updated as the vague terms accommodated for these progressions. Nevertheless, HIPAA has seen many revisions since its first inception to incorporate new means of protection or extend its coverage across the sector.
Covered Entities and Business Associates
Covered entities include healthcare providers, health plans, healthcare clearinghouses or other related organisations that create, maintain or transmit PHI. Generally, employers are not CEs, though they do often have records of an employee’s health information. However, if they provide benefits such as the Employee Assistance Program (EAP), they are considered “hybrid entities” and thus must be HIPAA-compliant.
In the case of hospitals, the hospital itself is the CE, and its employed healthcare providers (doctors, nurses, etc) are covered by the hospital. Thus, the hospital is charged with implementing and enforcing HIPAA. They are also the ones that bear the consequences of HIPAA non-compliance.
If a third party provides a service to a CE that involves access to the PHI held by that CE they are then considered “business associates” (BAs). These may include IT contractors, lawyers, accountants etc. For full HIPAA compliance, the associate must sign a Business Associate Agreement (BAA) with the CE that stipulates how and when the PHI will be accessed, used and processed after use. So long as the associate has possession of the PHI, it must be HIPAA-compliant.
Protected Health Information
Protected Health Information (PHI) is highly sensitive information that may be used to identify individuals. Thus, they must be kept private to protect the identity of the individuals and shield them from fraud. The following table gives some examples of PHI:
|Names or parts of names||Finger prints, voice recordings or retinal prints|
|Date of birth||License plates|
|Social Security Numbers||Religion|
|Bank account or card details||Addresses|
|Device identifiers or IP addresses||Photographs or video images|
Some information – such as medical records or sexuality – are considered to be more sensitive than others. However, all are protected under HIPAA and thus the same privacy regulations apply to all. Employees should know what sorts of information are defined as PHI so that they can treat them as such. This will, in turn, reduce the likelihood of a HIPAA breach.
The primary condition for HIPAA compliancy is that the CE or business associate instils the maximal technical, physical and administrative safeguards to protect PHI. This is stipulated in the HIPAA Privacy and Security Rules. If the parties fail to maintain the integrity of the PHI, they must comply to the HIPAA Breach Notification Rule.
However, how exactly CEs and BAs are supposed to achieve this protection is not always clear. As mentioned above, HIPAA is often vague in its wording – many safeguards are termed “addressable requirements”. This does not mean that they should be ignored – rather, if it is believed that an alternative measure can provide equal levels of protection, it can be used instead. “Addressable”, in this sense, does not mean that a CE or BA can chose whether or not to enact the safeguard, but instead how they should enact it.
A common example used to illustrate this idea are passwords. Under the Privacy and Security Rules, passwords are deemed “addressable requirements”. However, many businesses instead opt to use two-factor authentication. This newer technology uses one-time passcodes linked with certain login credentials, thus offering an extra layer of security over traditional passwords. It also meets the HIPAA password requirement of limiting “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”.
HIPAA Privacy Rule: The Privacy Rule dictates how and when PHI can be disclosed. Originally, it took force in 2003 and applies to all healthcare organisations, clearing houses and those that provide health plans. Since 2013, it has been extended to include business associates.
The rule sets limits regarding the use and disclosure of patient information when no prior authorization has been given by the patient. Under this rule, patients and their representatives have the right to obtain a copy of their health records and request changes if necessary. CEs must respond to patient requests within 30 days. A Notice of Privacy Practices (NPPs) must also be given to a patient if their data is to be used.
HIPAA Security Rule: The Security Rule stipulates the standards to safeguard ePHI. Anybody that can read, write, edit or transfer the ePHI or personal identifiers must follow these standards. The primary technical safeguard encryption to NIST standards once the data goes outside the company’s firewall. However, other appropriate measures include the introduction of audit controls for anyone who accesses the data and automatic logoff from a system.
Physical safeguards may relate to how workstations are set up (e.g. screens cannot be seen from a public area) or maintaining a thorough inventory of hardware. Administrative safeguards unite the Privacy Rule and the Security Rule. It requires a Security Officer and Privacy Officer to oversee procedures and conduct regular risk assessments. These assessments aim to identify any ways in which HIPAA-compliance could be breached and build a risk management policy off the back of this.
Breach Notification Rule: If the integrity of the PHI has been breached, the CEs must notify the patients and the Department of Health and Human Services. This must be within 60 days of the discovery of the breach. The media must also be informed if more than 500 patients are affected. If there are fewer patients affected, a report on the OCR website is published.
Omnibus Rule: A later addition, the Omnibus Rule addresses areas that were previously omitted in HIPAA legislation. It tiered civil penalties as per the Health Information Technology for Economic and Clinical Health (HITECH) Act, changed the harm threshold and banned the use of ePHI for marketing, amongst other things.
The charges of business associates were also amended by the Omnibus Rule. Business associates must now update their Associate Agreements, change privacy policies to be HIPAA-compliant and train staff in privacy protocol.
Enforcement Rule: Should a breach of PHI occur, the Enforcement Rule lays out how any subsequent investigations into the breach will be conducted. Fines are then levied based on the level of negligence. For example, if it is determined that HIPAA was violated due to ignorance, a fine of up to $50,000 can still be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 may be charged. Victims may also file civil lawsuits.
Common Threats to HIPAA Compliance
Unfortunately, the main threat to HIPAA compliance is one that’s hard to completely eliminate: human error. Even if the company has rigorous safeguards in place, one misplaced phone or the divulgence of too much information to the wrong person can result in a privacy breach.
This is especially relevant as more companies are adopting “Bring Your Own Device” (BYOD) policies. These are attractive, as they reduce overhead costs within organisations. Now, it is estimated that 80% of employees in the healthcare sector will use personal electronic devices at work. There are other advantages, too, for the employees themselves – they can readily access information, contact other staff members and generally increase productivity. However, the Health Insurance Trust Alliance estimates that 40% of HIPAA violations now occur because of thefts of such devices. Device encryption and two-factor authentication can protect much of the information held on the device, but even these can be overcome by cybercriminals.
Such personal devices are also the targets of malware attacks. These endpoints may not be as protected as devices provided by the organisation, and as they can be taken hope, employees may connect to insecure public networks – making it easier for criminals to hijack devices. Employers should ensure that all devices used as part of a BYOD scheme meets minimum HIPAA requirements for ePHI safety, and where possible provide software that filters emails or provides content warning on websites for malware detection.
Employees should also be trained on other aspects of cyber safety, such as detecting phishing scams or avoiding sharing PHI by email. All employees should be required to use a secure messaging services for work communications. These encrypt all employee messages sent within the system, and often include mechanisms that prevents PHI being sent outside of the system’s network. If the device is lost or stolen, the organisation can also remotely delete data from the device.
Not all threats are related to cybersecurity. HIPAA emphasises the importance of physical and administrative safeguards that usually relate to the workplace environment. For example, “Clear Desk” policies require employees to remove all sensitive material from their workspace at the end of the day, placing it in secure cabinets or – in the case of mobile devices – taking them home with them. HIPAA also requires that any screens that may display PHI during the course of work must face away from areas accessible by the public or unauthorised personnel. This requirement comes under “Facility Access Control”, and employers should also employ key-card access to areas where PHI is held. The lack of such controls are considered HIPAA violations.
From an administrative point of view, it is important that employees know how to report a breach. This is necessary under the Breach Notification Rule, as failure to report a breach in a timely fashion is considered a HIPAA violation. HIPAA also lists employee training as an “addressable” requirement, though it is strongly recommended that all employees receive regular training on HIPAA and the latest developments in privacy practices. If such training is not provided, or deemed inadequate, it is a breach of HIPAA policies.
Top Training Tips
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do design training sessions so that each session will be short and focussed. Not only will this help employees fit training into their schedules, but it will help attendees concentrate and retain more information. This will help prevent further breaches. Remember: ignorance is not considered an excuse for PHI breaches.
Do ensure employees are trained regularly and training plans are kept up-to-date. Each session should focus on a different aspect of training, remind employees of the most important aspects of the regulation. These sessions should, at minimum, be conducted annually.
Do notify employees of the consequences of HIPAA non-compliance, be they consequences for the company of the patient whose data was lost. Consequences include fines and legal action against the CE, or a loss of privacy for the patient affected. Emphasising these consequences can incentivise employee compliance.
Do offer training for all levels of staff, right up to higher management. Every member of staff is liable to make mistakes, so just because someone is high up in the organisation does not mean they should be immune from training days. Regardless, a lack of training provided to higher levels reflects poorly on the CE in an audit.
Do maintain comprehensive records of when the training occurred, who was involved and what information was presented to staff. If the OCR carries out an audit, or a breach occurs and an investigation is needed, this information will be critical.
Don’t just read out long passages from HIPAA. Explaining legal jargon and summarising important pieces of information will help employees understand what HIPAA is and why it’s important. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go over the history of HIPAA, how it came to be or why it was introduced – it is not essential information. Rather, starting with such information is likely to cause participants to lose focus before you even begin.
Consequences of Non-Compliance
Before detailing the consequences of HIPAA non-compliance, it is important to first point out that the OCR does not consider ignorance to be an adequate excuse. Some breaches are unavoidable – a high-tech cyberattack is hard to avoid, even with the best protections – but simply pleading that an employee “didn’t know” that an action was HIPAA non-compliant is not a defence.
When issuing penalties, the OCR will first consider the nature of the breach – how many people were affected, what information was accessed, how the breach actually occurred etc.. Fines begin at $100 per HIPAA violation, with a maximum penalty of $1.5 million for a instances were several breaches of the same nature occurred within one year. Breaches are assessed on their level of “wilful neglect” and “reasonable cause” in a tiered manner. In the worst-case scenario, where a breach could have been prevented and it was neither reported or corrected in a timely fashion, fines of $1.5 million can be levied against the CE or BA. In some instances, the negligent party may also be dealt a jail term.
HIPAA Compliance: Summary
HIPAA is a necessarily complex piece of legislation, and many within the healthcare industry consider it an annoyance or barrier to productivity. However, it is essential to protect patient privacy and thus compliance is essential. To help reinforce the importance of HIPAA compliance, the OCR has introduced a tiered penalties system for HIPAA violations, with fines reaching a staggering $1.5 million. These penalties can be easily avoided, notably through employee training schemes that raise the profile of HIPAA within an organisation and help foster a cautious mindset when dealing with patient data.