What is HIPAA Compliance?
HIPAA compliance refers to the adherence to the regulations and provisions set forth by the Health Insurance Portability and Accountability Act of 1996, which mandates the protection and confidential handling of protected health information by healthcare providers, health plans, clearinghouses, and their business associates to safeguard patient privacy and ensure the security of health data in both electronic and physical formats. HIPAA compliance is a term that encapsulates the vast array of regulations and standards established by the HIPAA. HIPAA was created to ensure that individuals’ health information remains confidential and secure, irrespective of the rapid changes and advancements in digital technology and healthcare practices. This compliance not only addresses the electronic sharing and storage of health data but also its management and protection in all forms, be it oral, written, or electronic. For healthcare providers, health plans, and clearinghouses, often referred to as “covered entities”, HIPAA compliance is not just an operational necessity but a legal obligation. Beyond these entities, the net of HIPAA extends to “business associates,” which include any organization or individual that performs tasks involving the use or disclosure of protected health information (PHI) on behalf of, or providing services to, a covered entity. This ensures a comprehensive protection framework, from the primary care doctor treating a patient to the third-party software provider managing patient data. HIPAA compliance centers on the safeguarding of protected health information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. The regulations ensure that such information remains confidential, is protected against any threats or breaches, and remains intact and unchanged without the risk of unauthorized alteration. This covers a wide spectrum of data points, from medical records and billing information to appointment scheduling details and conversation notes taken during a doctor’s appointment.
Covered Entities and Business Associates
Covered entities include healthcare providers, health plans, healthcare clearinghouses or other related organisations that create, maintain or transmit PHI. Generally, employers are not CEs, though they do often have records of an employee’s health information. However, if they provide benefits such as the Employee Assistance Program (EAP), they are considered “hybrid entities” and thus must be HIPAA-compliant.
In the case of hospitals, the hospital itself is the CE, and its employed healthcare providers (doctors, nurses, etc) are covered by the hospital. Thus, the hospital is charged with implementing and enforcing HIPAA. They are also the ones that bear the consequences of HIPAA non-compliance.
If a third party provides a service to a CE that involves access to the PHI held by that CE they are then considered “business associates” (BAs). These may include IT contractors, lawyers, accountants etc. For full HIPAA compliance, the associate must sign a Business Associate Agreement (BAA) with the CE that stipulates how and when the PHI will be accessed, used and processed after use. So long as the associate has possession of the PHI, it must be HIPAA-compliant.
Protected Health Information
Protected Health Information (PHI) is highly sensitive information that may be used to identify individuals. Thus, they must be kept private to protect the identity of the individuals and shield them from fraud. The following table gives some examples of PHI:
|Names or parts of names||Finger prints, voice recordings or retinal prints|
|Date of birth||License plates|
|Social Security Numbers||Religion|
|Bank account or card details||Addresses|
|Device identifiers or IP addresses||Photographs or video images|
Some information – such as medical records or sexuality – are considered to be more sensitive than others. However, all are protected under HIPAA and thus the same privacy regulations apply to all. Employees should know what sorts of information are defined as PHI so that they can treat them as such. This will, in turn, reduce the likelihood of a HIPAA breach.
The primary condition for HIPAA compliancy is that the CE or business associate instils the maximal technical, physical and administrative safeguards to protect PHI. This is stipulated in the HIPAA Privacy and Security Rules. If the parties fail to maintain the integrity of the PHI, they must comply to the HIPAA Breach Notification Rule.
However, how exactly CEs and BAs are supposed to achieve this protection is not always clear. As mentioned above, HIPAA is often vague in its wording – many safeguards are termed “addressable requirements”. This does not mean that they should be ignored – rather, if it is believed that an alternative measure can provide equal levels of protection, it can be used instead. “Addressable”, in this sense, does not mean that a CE or BA can chose whether or not to enact the safeguard, but instead how they should enact it.
A common example used to illustrate this idea are passwords. Under the Privacy and Security Rules, passwords are deemed “addressable requirements”. However, many businesses instead opt to use two-factor authentication. This newer technology uses one-time passcodes linked with certain login credentials, thus offering an extra layer of security over traditional passwords. It also meets the HIPAA password requirement of limiting “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”.
HIPAA Privacy Rule: The Privacy Rule dictates how and when PHI can be disclosed. Originally, it took force in 2003 and applies to all healthcare organisations, clearing houses and those that provide health plans. Since 2013, it has been extended to include business associates.
The rule sets limits regarding the use and disclosure of patient information when no prior authorization has been given by the patient. Under this rule, patients and their representatives have the right to obtain a copy of their health records and request changes if necessary. CEs must respond to patient requests within 30 days. A Notice of Privacy Practices (NPPs) must also be given to a patient if their data is to be used.
HIPAA Security Rule: The Security Rule stipulates the standards to safeguard ePHI. Anybody that can read, write, edit or transfer the ePHI or personal identifiers must follow these standards. The primary technical safeguard encryption to NIST standards once the data goes outside the company’s firewall. However, other appropriate measures include the introduction of audit controls for anyone who accesses the data and automatic logoff from a system.
Physical safeguards may relate to how workstations are set up (e.g. screens cannot be seen from a public area) or maintaining a thorough inventory of hardware. Administrative safeguards unite the Privacy Rule and the Security Rule. It requires a Security Officer and Privacy Officer to oversee procedures and conduct regular risk assessments. These assessments aim to identify any ways in which HIPAA-compliance could be breached and build a risk management policy off the back of this.
Breach Notification Rule: If the integrity of the PHI has been breached, the CEs must notify the patients and the Department of Health and Human Services. This must be within 60 days of the discovery of the breach. The media must also be informed if more than 500 patients are affected. If there are fewer patients affected, a report on the OCR website is published.
Omnibus Rule: A later addition, the Omnibus Rule addresses areas that were previously omitted in HIPAA legislation. It tiered civil penalties as per the Health Information Technology for Economic and Clinical Health (HITECH) Act, changed the harm threshold and banned the use of ePHI for marketing, amongst other things.
The charges of business associates were also amended by the Omnibus Rule. Business associates must now update their Associate Agreements, change privacy policies to be HIPAA-compliant and train staff in privacy protocol.
Enforcement Rule: Should a breach of PHI occur, the Enforcement Rule lays out how any subsequent investigations into the breach will be conducted. Fines are then levied based on the level of negligence. For example, if it is determined that HIPAA was violated due to ignorance, a fine of up to $50,000 can still be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 may be charged. Victims may also file civil lawsuits.
Common Threats to HIPAA Compliance
The main threat to HIPAA compliance is one that’s hard to completely eliminate: human error. Even if the company has rigorous safeguards in place, one misplaced phone or the divulgence of too much information to the wrong person can result in a privacy breach. This is especially relevant as more companies are adopting “Bring Your Own Device” (BYOD) policies. These are attractive, as they reduce overhead costs within organisations. Now, it is estimated that 80% of employees in the healthcare sector will use personal electronic devices at work. There are other advantages, too, for the employees themselves – they can readily access information, contact other staff members and generally increase productivity. However, the Health Insurance Trust Alliance estimates that 40% of HIPAA violations now occur because of thefts of such devices. Device encryption and two-factor authentication can protect much of the information held on the device, but even these can be overcome by cybercriminals.
Such personal devices are also the targets of malware attacks. These endpoints may not be as protected as devices provided by the organisation, and as they can be taken hope, employees may connect to insecure public networks – making it easier for criminals to hijack devices. Employers should ensure that all devices used as part of a BYOD scheme meets minimum HIPAA requirements for ePHI safety, and where possible provide software that filters emails or provides content warning on websites for malware detection.
Employees should also be trained on other aspects of cyber safety, such as detecting phishing scams or avoiding sharing PHI by email. All employees should be required to use a secure messaging services for work communications. These encrypt all employee messages sent within the system, and often include mechanisms that prevents PHI being sent outside of the system’s network. If the device is lost or stolen, the organisation can also remotely delete data from the device.
Not all threats are related to cybersecurity. HIPAA emphasises the importance of physical and administrative safeguards that usually relate to the workplace environment. For example, “Clear Desk” policies require employees to remove all sensitive material from their workspace at the end of the day, placing it in secure cabinets or – in the case of mobile devices – taking them home with them. HIPAA also requires that any screens that may display PHI during the course of work must face away from areas accessible by the public or unauthorised personnel. This requirement comes under “Facility Access Control”, and employers should also employ key-card access to areas where PHI is held. The lack of such controls are considered HIPAA violations.
From an administrative point of view, it is important that employees know how to report a breach. This is necessary under the Breach Notification Rule, as failure to report a breach in a timely fashion is considered a HIPAA violation. HIPAA also lists employee training as an “addressable” requirement, though it is strongly recommended that all employees receive regular training on HIPAA and the latest developments in privacy practices. If such training is not provided, or deemed inadequate, it is a breach of HIPAA policies.
Top Training Tips
To help CEs and their business associates navigate the confusing world of HIPAA compliance training, we have compiled a simple list of best practices for employee training.
Do design training sessions so that each session will be short and focussed. Not only will this help employees fit training into their schedules, but it will help attendees concentrate and retain more information. This will help prevent further breaches. Remember: ignorance is not considered an excuse for PHI breaches.
Do ensure employees are trained regularly and training plans are kept up-to-date. Each session should focus on a different aspect of training, remind employees of the most important aspects of the regulation. These sessions should, at minimum, be conducted annually.
Do notify employees of the consequences of HIPAA non-compliance, be they consequences for the company of the patient whose data was lost. Consequences include fines and legal action against the CE, or a loss of privacy for the patient affected. Emphasising these consequences can incentivise employee compliance.
Do offer training for all levels of staff, right up to higher management. Every member of staff is liable to make mistakes, so just because someone is high up in the organisation does not mean they should be immune from training days. Regardless, a lack of training provided to higher levels reflects poorly on the CE in an audit.
Do maintain comprehensive records of when the training occurred, who was involved and what information was presented to staff. If the OCR carries out an audit, or a breach occurs and an investigation is needed, this information will be critical.
Don’t just read out long passages from HIPAA. Explaining legal jargon and summarising important pieces of information will help employees understand what HIPAA is and why it’s important. Try to ensure that participants both know the required legislation but also understand how to enact it in their day-to-day roles.
Don’t go over the history of HIPAA, how it came to be or why it was introduced – it is not essential information. Rather, starting with such information is likely to cause participants to lose focus before you even begin.
Consequences of Non-Compliance
Before detailing the consequences of HIPAA non-compliance, it is important to first point out that the OCR does not consider ignorance to be an adequate excuse. Some breaches are unavoidable – a high-tech cyberattack is hard to avoid, even with the best protections – but simply pleading that an employee “didn’t know” that an action was HIPAA non-compliant is not a defence.
When issuing penalties, the OCR will first consider the nature of the breach – how many people were affected, what information was accessed, how the breach actually occurred etc.. Fines begin at $100 per HIPAA violation, with a maximum penalty of $1.5 million for a instances were several breaches of the same nature occurred within one year. Breaches are assessed on their level of “wilful neglect” and “reasonable cause” in a tiered manner. In the worst-case scenario, where a breach could have been prevented and it was neither reported or corrected in a timely fashion, fines of $1.5 million can be levied against the CE or BA. In some instances, the negligent party may also be dealt a jail term.
HIPAA is a necessarily complex piece of legislation, and many within the healthcare industry consider it an annoyance or barrier to productivity. However, it is essential to protect patient privacy and thus compliance is essential. To help reinforce the importance of HIPAA compliance, the OCR has introduced a tiered penalties system for HIPAA violations, with fines reaching a staggering $1.5 million. These penalties can be easily avoided, notably through employee training schemes that raise the profile of HIPAA within an organisation and help foster a cautious mindset when dealing with patient data.
HIPAA Compliance Frequently Asked Questions
What is HIPAA compliance and why is it important?
HIPAA compliance refers to adhering to the requirements set forth by the Health Insurance Portability and Accountability Act, which aims to safeguard patient health information. It’s paramount for healthcare providers and related entities to be compliant not only to avoid legal repercussions and penalties but also to ensure trust with patients and maintain the integrity and confidentiality of their personal and medical information.
Who must be HIPAA compliant?
HIPAA compliance is mandatory for covered entities, which include health plans, health care clearinghouses, and health care providers that conduct electronic health transactions. Additionally, business associates, or companies that handle protected health information (PHI) on behalf of these covered entities, also need to be compliant, ensuring that patient information remains secure throughout the healthcare ecosystem.
How do I know if my organization needs to be HIPAA compliant?
If your organization provides treatment, payment, and operations in healthcare or is involved in any function that requires access to patient health data, it likely needs to be HIPAA compliant. This not only includes direct healthcare providers but also entities like billing companies, software providers, and cloud storage services that might handle PHI.
What is considered Protected Health Information (PHI) under HIPAA?
Protected Health Information, or PHI, refers to any information, either oral or recorded in any form, that relates to an individual’s past, present, or future physical or mental health, the provision of healthcare, or the past, present, or future payment for healthcare services. This includes names, addresses, birth dates, Social Security numbers, medical records, and more.
Are there different levels or tiers of HIPAA compliance?
HIPAA categorizes violations into four tiers, each with differing levels of knowledge and intent behind the breach. The severity of penalties and fines is based on these tiers. However, for compliance purposes, all covered entities and business associates must meet the same set of standards, regardless of size or function.
How often should HIPAA training be conducted for employees?
While HIPAA mandates training for new workforce members, it also requires periodic retraining or updates whenever there’s a material change in policies or procedures. Best practices recommend that organizations conduct HIPAA training annually to refresh employees’ knowledge and address any changes or updates in regulations.
Are electronic records held to the same standards as paper records under HIPAA?
Yes, electronic records, often referred to as electronic protected health information (ePHI), are held to the same confidentiality and security standards as paper records. In fact, the HIPAA Security Rule specifically addresses the protection of ePHI, dictating the safeguards necessary to ensure its confidentiality, integrity, and availability.
How does HIPAA address mobile devices and remote access?
HIPAA doesn’t have provisions specific to mobile devices, but these devices fall under the umbrella of safeguards required for ePHI. Covered entities and business associates must ensure mobile devices accessing or storing PHI have proper encryption and security measures in place, and organizations should have policies dictating the secure use of these devices.
What are the main components of a HIPAA compliance program?
A comprehensive HIPAA compliance program encompasses risk analysis and management, policies and procedures tailored to an organization’s practices, training programs for staff, an established communication channel for issues and breaches, regular audits, and continuous monitoring, and addressing any discovered vulnerabilities promptly.
How does the Security Rule differ from the Privacy Rule in HIPAA?
The HIPAA Security Rule specifically focuses on the safeguards, both technical and non-technical, that must be in place to protect electronic PHI, whereas the Privacy Rule addresses the broader issue of ensuring the confidentiality and proper handling of all PHI, regardless of its format. Together, they ensure comprehensive protection of patient health data.
Are there specific technical safeguards required for HIPAA compliance?
Yes, the HIPAA Security Rule outlines specific technical safeguards, including access controls to ensure only authorized individuals can access ePHI, audit controls to record and monitor access, integrity controls to ensure ePHI isn’t altered or destroyed without authorization, and transmission security measures to protect ePHI during electronic transmission.
How long must healthcare entities retain PHI to remain compliant?
HIPAA requires covered entities to retain PHI for a minimum of six years from the date of its creation or from the last effective date, whichever is later. However, state laws may have different retention periods, and covered entities must comply with whichever law is stricter.
Are Business Associates of healthcare entities also required to be HIPAA compliant?
Yes, Business Associates, or third-party vendors that create, receive, maintain, or transmit PHI on behalf of covered entities, are also required to be HIPAA compliant. They must ensure that they safeguard PHI in the same manner as the covered entities they serve, highlighting the interwoven responsibility in the healthcare system.
How does a healthcare entity demonstrate its HIPAA compliance?
Demonstrating HIPAA compliance often involves maintaining thorough documentation of all policies, procedures, and training efforts. This includes a record of risk assessments, proof of staff training, business associate agreements, and documentation of any breaches and subsequent response efforts. Regular internal and external audits can also help validate compliance efforts.
How often should organizations conduct HIPAA risk assessments?
While the HIPAA Security Rule mandates that risk assessments be conducted periodically, best practices recommend that organizations perform these assessments annually or whenever significant changes occur in their operations, such as adopting new technologies, undergoing mergers, or expanding services.
What is a Notice of Privacy Practices, and why is it crucial for HIPAA compliance?
A Notice of Privacy Practices (NPP) is a document that healthcare entities must provide to patients, detailing how their PHI is used and protected. This document is essential for HIPAA compliance because it ensures transparency with patients regarding their data rights and the organization’s practices. Regularly updating and distributing the NPP strengthens patient trust and promotes awareness of privacy rights.
Can patients request their own PHI, and how does this relate to compliance?
Absolutely. Under HIPAA’s Privacy Rule, patients have the right to access and request copies of their PHI. Covered entities are required to provide this information in a timely manner (typically within 30 days). Ensuring patient access to their records and making corrections as requested is crucial for maintaining HIPAA compliance and fostering transparency.
Are there special considerations for cloud storage and HIPAA compliance?
When using cloud storage for PHI, healthcare entities must ensure that the cloud provider is HIPAA compliant and willing to sign a Business Associate Agreement. The data stored in the cloud should be encrypted, both at rest and during transmission, and the entity should have robust access controls and audit capabilities to monitor data access.
How do breaches affect an entity’s HIPAA compliant status?
Breaches, especially when caused by neglect or non-compliance, can lead to severe penalties for the involved entity. The impact of a breach extends beyond financial penalties, with potential damage to reputation, loss of patient trust, and additional scrutiny from regulatory bodies. Responding promptly, notifying affected individuals, and taking corrective measures are vital steps after a breach to restore compliance.
What role do encryption and secure data transmission play in HIPAA compliance?
Encryption and secure data transmission are essential components of the HIPAA Security Rule. They ensure that ePHI remains confidential and is only accessible to authorized individuals. Whether data is stored on-premises, in the cloud, or transmitted electronically, robust encryption is a critical defense against breaches and unauthorized access.
How does HIPAA handle the topic of patient consent and authorizations?
HIPAA’s Privacy Rule requires healthcare providers to obtain patient consent for uses and disclosures of PHI for treatment, payment, and healthcare operations. For other disclosures, specific patient authorizations are required, ensuring that individuals have a say in how and when their health data is shared outside standard operations.
Can a healthcare entity text or email patients and remain compliant?
Healthcare entities can text or email patients while remaining compliant, but they must take precautions. Encryption should be used, especially when transmitting PHI. Furthermore, patients should be informed of the risks associated with electronic communications and should provide explicit consent to receive communications through these channels.
How do international data transfers work in the context of HIPAA compliance?
HIPAA doesn’t specifically address international data transfers. However, entities that store or transmit PHI internationally must ensure the same level of protection and security as if the data remained in the U.S. Additionally, any international business associates must also be HIPAA compliant, emphasizing the global reach of these regulations.
Are there any exceptions where PHI can be disclosed without violating HIPAA compliance?
Yes, there are specific situations, like public interest scenarios, where PHI can be disclosed without patient authorization. These scenarios include reporting disease outbreaks, aiding law enforcement in specific cases, and sharing information about victims of abuse or neglect. However, these disclosures must be minimal and directly relevant to the situation.
What tools and software are recommended for ensuring HIPAA compliance?
Various tools and software solutions are designed to aid in HIPAA compliance. These range from encryption tools, secure messaging platforms, compliance management systems, and electronic health record (EHR) systems with built-in compliance features. The selection of tools should be based on an organization’s specific needs and the results of their risk assessments.
How can an organization ensure their vendors and third-party associates are HIPAA compliant?
Organizations should conduct thorough due diligence when selecting vendors, asking for evidence of their HIPAA compliance. Regular audits, reviews, and ensuring a signed Business Associate Agreement is in place can also reinforce compliance expectations and establish clear responsibilities for both parties.
What are the implications of not being HIPAA compliant?
Non-compliance with HIPAA can result in hefty financial penalties, legal actions, and significant reputational damage. Beyond financial implications, organizations risk losing the trust of their patients and stakeholders, which can have long-term effects on business sustainability and success.