What is HIPAA Compliance?

The Health Insurance Portability and Accountability Act of 1996 was first created to safeguard a patient’s private health information (termed Protected Health Information, PHI). It lays out industry-wide mandates regarding the distribution of a patient’s data, stipulating that whenever data is shared, the minimum amount of information must be transferred.

Healthcare professionals and business associates alike usually receive extensive training in HIPAA compliance. This is, in part, due to the vague wording of HIPAA. The intention of this was to ensure that HIPAA protected PHI under a variety of situations, covered entities (CEs) and business associates.

Covered Entities and Business Associates

Covered entities include healthcare providers, health plan or related that creates, maintains or transmits PHI. Generally, employers are not CEs, though they do often have records of an employee’s health information. However, if they provide benefits such as the Employee Assistance Program (EAP), they are considered “hybrid entities” and thus must be HIPAA-compliant.

In the case of hospitals, the hospital itself is the CE, and its employed healthcare providers are covered by the hospital. Thus, the hospital is charged with implementing and enforcing HIPAA.

If a third party provides a service to a CE that involves access to the PHI held by that CE they are then considered “business associates”. These may include IT contractors, lawyers, accountants etc. For full HIPAA compliance, the associate must sign a Business Associate Agreement with the CE that stipulates how and when the PHI will be accessed, used and processed after use. So long as the associate has possession of the PHI, it must be HIPAA-compliant.

HIPAA Requirements

The primary condition for HIPAA compliancy is that the CE or business associate instills the maximal technical, physical and administrative safeguards to protect PHI. This is stipulated in the HIPAA Privacy Rule. If the parties fail to maintain the integrity of the PHI, they must comply to the HIPAA Breach Notification Rule.

HIPAA Rules

HIPAA Privacy Rule: The Privacy Rule dictates how and when PHI can be disclosed. Originally, it took force in 2003 and applies to all healthcare organisations, clearing houses and those that provide health plans. Since 2013, it has been extended to include business associates.

The rule sets limits regarding the use and disclosure of patient information when no prior authorization has been given by the patient. Under this rule, patients and their representatives have the right to obtain a copy of their health records and request changes if necessary. CEs must respond to patient requests within 30 days. A Notice of Privacy Practices (NPPs) must also be given to a patient if their data is to be used.

HIPAA Security Rule: The Security Rule stipulates the standards to safeguard ePHI. Anybody that can read, write, edit or transfer the ePHI or personal identifiers must follow these standards. The primary technical safeguard encryption to NIST standards once the data goes outside the company’s firewall. However, other appropriate measures include the introduction of audit controls for anyone who accesses the data and automatic logoff from a system.

Physical safeguards may relate to how workstations are set up (e.g. screens cannot be seen from a public area) or maintaining a thorough inventory of hardware. Administrative safeguards unite the Privacy Rule and the Security Rule. It requires a Security Officer and Privacy Officer to oversee procedures and conduct regular risk assessments. These assessments aim to identify any ways in which HIPAA-compliance could be breached and build a risk management policy off the back of this.

Breach Notification Rule: If the integrity of the PHI has been breached, the CEs must notify the patients and the Department of Health and Human Services. This must be within 60 days of the discovery of the breach. The media must also be informed if more than 500 patients are affected. If there are fewer patients affected, a report on the OCR website is published.

Omnibus Rule: A later addition, the Omnibus Rule addresses areas that were previously omitted in HIPAA legislation. It tiered civil penalties as per the Health Information Technology for Economic and Clinical Health (HITECH) Act, changed the harm threshold and banned the use of ePHI for marketing, amongst other things.

The charges of business associates were also amended by the Omnibus Rule. Business associates must now update their Associate Agreements, change privacy policies to be HIPAA-compliant and train staff in privacy protocol.

Enforcement Rule: Should a breach of PHI occur, the Enforcement Rule lays out how any subsequent investigations into the breach will be conducted. Fines are then levied based on the level of negligence. For example, if it is determined that HIPAA was violated due to ignorance, a fine of up to $50,000 can still be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 may be charged. Victims may also file civil lawsuits.