HIPAA is a complex law. It can often become a challenge knowing where to begin as it does not provide a clear standard for compliance. In 2018 breaching HIPAA laws cost ten companies twenty-eight million dollars, to avoid getting fined it is important to comply. This blog will guide you and help you stay compliant with HIPAA law.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for safeguarding sensitive patients’ protected health information (PHI). HIPAA compliance looks different for different organizations and is based upon the resources available to safeguard PHI. HIPAA laws set the standard for how the protected health information of patients is to be secured. Businesses that handle protected health information (PHI) must have in place administrative, technical, and physical measures in place to be compliant with HIPAA laws.
HIPAA laws apply to two types of business entities: covered entities and business associates. Other related business associates such as subcontractors also have to be compliant with HIPAA laws and policy.
Protected Health Information (PHI) in HIPAA Compliance
In HIPAA compliance, protected health information (PHI) is what the law protects. Protected health information (PHI) refers to any individually identifiable health information that is electronically transmitted and maintained, this is known as electronically protected health information (ePHI). It also includes individually identifiable health information that is transmitted or maintained through any other medium. Individually identifiable health information is any information that can be used as an identifier for the client or patient of an entity that is obligated to HIPAA law. Protected health information (PHI) includes medical records, name, address, telephone number, facial photos, social security numbers, and the list goes on.
Covered Entities in HIPAA Compliance
Under HIPAA law, a covered entity is an organization or individual in a healthcare field that has access to protected health information. These are healthcare providers, health care insurance providers, health care clearing houses that create, collect or transmit protected health information.
The hospital employer is for the most part it not considered a covered entity. This is because the hospital is the covered entity with the responsibility to implement and enforce HIPAA compliance.
Employers that collect and maintain their employees’ health care information are also generally not considered covered entities. However, if the employer provides certain benefits such as the Employee Assistance Program or self-insured health cover then they are considered to be a hybrid entity and still required to be HIPAA compliant.
What is a Business Associate in HIPAA Compliance?
Similar to covered entities, under HIPAA laws business associates are individuals and organizations that are also responsible for following HIPAA laws because they work in a non-healthcare capacity with a covered entity and have access to protected health information. This includes accountants, lawyers, billing companies, physical or cloud storage providers, and much more. Based on the wide scope of these service providers they may process, handle or transmit protected health information in the process of carrying out their task.
HIPAA Rules
HIPAA Privacy Rule
HIPAA privacy rule is one of the key rules and foundations of HIPAA laws. It explains how and when organizations and individuals that handle protected information can use that information. It sets a standard for the patient’s right to protected health information. Some of these standards include the right of the patient to access their protected health information, the right of health care providers to deny access to protected health information, and the use of disclosure forms. These regulatory standards must be documented and training may be needed. It is important to note that this rule applies only to covered entities and not business associates.
HIPAA Security Rule
This sets the standard for maintaining, transmitting and handling electronically protected health information in a secure way. This applies to both business associates and covered entities. It also sets the standard for the physical, technical, and administrative safeguards that health care organizations must have in place to ensure the integrity and safety of electronically protected health information. These standards must be included in your HIPAA policies and procedures. It is also important for the staff to receive annual training on the company’s policies and procedures and this should be documented.
To be compliant with the security rule, you must have administrative, physical, and technical safeguards in place.
HIPAA compliance with physical safeguard
To be HIPAA compliant your physical safeguard should focus on physical access to protected health information regardless of where it is located. To be compliant you need to have limited access and control to protected health information with access authorization. There must be policies put in place to monitor access, use, reuse, transfer, and deleting of electronically protected health information (ePHI). ePHI could be stored on servers or in the cloud within the premises of the HIPAA compliant entity. The aim is to secure PHI against unauthorized access.
HIPAA compliance with technical safeguard
Technical safeguards are the technology that is used to allow only those authorized to access electronically protected health data. To archive this a unique user identification can be used. You can also have a system of automatic log-off, encryption, and decryption. It is also important to have an access procedure. In the case of an emergency. The only requirement for the HIPAA law is that electronically protected health information must be encrypted once it goes beyond the internal firewall service of the organization. This makes the data unreadable and unusable should any breach occur.
It is also important to keep a record of hardware and software activities so you can trace the source or cause of a security breach
HIPAA compliance with administrative safeguard
The administrative safeguards marry the security rule and the privacy rule in HIPAA compliance. This requires both the security officer and privacy officer to implement measures to protect the electronic health information and also control or influence the conduct of the workforce. Some measures they can implement include risk assessment, risk management policy, training, and reporting. There are some required administrative safeguard measures such as risk assessment, risk management policy, developing a contingency plan in the event of an emergency, and restricting third-party access.
HIPAA breach notification rule
This rule sets the standard that organizations must follow in the event of a breach of data containing PHI or ePHI. The breach notification rule distinguishes between two kinds of breaches: minor breaches and meaningful breaches. Covered entities are required to report all breaches including the minor breaches but the protocol for reporting changes depending on the type.
The rule requires that in the event of a breach of protected health information, covered entities have to promptly notify the patients and also the Department of Health and Human Services. If the breach affects more than five hundred patients the covered entity has to also notify the media. This must be done within 60 days.
If the breach affects less than five hundred patients in a single event then it can be reported in a single batch to the Department of Health and Human Serviced once a year per breach notification rule.
HIPAA omnibus rule
This rule makes it compulsory for business associates and their subcontractors to be compliant with HIPAA laws. It also outlines the rules surrounding the Business Associate Agreement.
The Business Associate Agreement is an agreement between two business associates or between a covered entity and a business associate. This agreement must be signed between both parties before protected health information or electronically protected health information can be shared.
HIPAA enforcement rule
This rule focuses on how the violation of HIPAA laws should be handled and investigated. Violations of HIPAA laws are to be reported to the Office for Civil Rights (OCR) for investigation. If after the investigation the Office for Civil Rights finds it to be a negligent violation, the cause of the breach must be fixed and the affected individuals dealt with to the satisfaction of the OCR.
If the Office for Civil Rights does not find the violator’s response to the affected individuals satisfactory or if the breach is appalling the OCR can fine the violators.
How to Become HIPAA Compliant
The first thing to do is to map the data your company collects and note where there is a HIPAA file on your premises.
- Trace and monitor who can access these data and as much as possible reduce the number of people with access.
- Create a system that notifies you when HIPAA data is accessed. This system should be able to distinguish and identify a potential breach of HIPAA from normal behavior.
- Have two-factor authentication, unique identification, session timeouts, and other strong necessary measures to protect the perimeter. Also, monitor these activities to be aware of potential breaches.
- Implement security risk assessments and implement remediation plans to cover the discovered gaps.
- Have regular employee training so employees are aware of these policies and procedures.
- Documentation is key for any compliance to work. Record all effort and steps taken to be HIPAA compliant. This is important for investigation. Also, document all breaches and notify patients and the necessary authority.
- Document all vendors with whom PHI is shared in any form and have a Business Associate Agreement in place. Review the agreement annually.
In conclusion, HIPAA law if not carefully complied with can cost the business fines upon fines. It is therefore important to have a solid HIPAA compliance system and to promptly notify the relevant body should any breach occur. If you already have a good and effective data security policy you are well on your way to complying with HIPAA laws and policies.
