What is HIPAA Compliance?

HIPAA is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). Often misspelled as HIPPA, HIPAA stands for the Health Insurance Portability and Accountabilty Act (HIPAA). Enacted by the U.S. Congress in 1999, HIPAA was designed to address technological changes and problems with standards for sensitive patient data protection. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating HIPAA violations.

Through a series of interlocking regulatory rules, policies and procedures, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.

What is Protected Health Information?

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.

PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information (ePHI). ePHI is regulated by the HIPAA Security Rule, which establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form including, but not limited to emails, removable storage drives, cloud backups. The Security Rule operationalizes the Privacy Rule’s protection by addressing the technical and nontechnical safeguards that covered entities must put in place to secure ePHI.

HIPAA regulation identifies two types of organizations that must be HIPAA compliant.

  • Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
  • Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI.

Common examples of business associates include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.

Common examples of business associates exceptions are: other covered entities, a laboratory as a condition for the treatment of an individual, governmental activities, payment processor or bank, janitors, electricians, landlords, conduits and more.

What is HIPAA Regulation?

HIPAA regulation is made up of a number of different HIPAA Rules which were all passed since HIPAA was first enacted in 1996.

HIPAA compliance is mainly regulated by HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule. These rules set forth policies and procedures healthcare providers must utilize in their offices to ensure PHI is protected.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for patients’ rights to PHI and ePHI. In force since 2003, the Privacy Rule applies to all healthcare organizations, providers of health plans (including employers), healthcare clearing houses and from 2013 the Business Associates of covered entities.

The Privacy Rules stresses the importance of PHI/ePHI safeguards such as:

  • Patients’ right to access PHI/ePHI
    • Right to obtain a copy of their health records
    • Right to examine their health records
    • Right to request corrections if necessary
  • Use and Disclosure of PHI/ePHI with Patient Authorization
  • Healthcare Providers’ right to deny access to PHI
  • Use and disclose of PHI/ePHI without Patient Authorization
  • Content of Use and Disclosure Forms
  • Content of Notices of Privacy Practices
  • Covered Entities are required to respond to patient access requests within three days
  • Notices of Privacy Practices (NPPs) must be issued

Covered entities are also advised to:

  • Provide training to employees to ensure they are cognizant of what information may – and may not – be shared.
  • Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
  • Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.

Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and the option of providing an electronic copy to a patient when it is requested.

The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.

HIPAA Security Rule

The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of PHI and ePHI to covered entities and business associates. The Security Rule outlines standards for the integrity and safety of PHI and ePHI that must be in place in any healthcare organization including physical, administrative, and technical safeguards. Specifics of the regulations must be documented in the organization’s HIPAA Policies and Procedures and the staff must be trained on these Policies and Procedures annually with documented accreditation.

Technical Safeguards

Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, indecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:

    • Implement a means of access control – Assigning a centrally-controlled unique username and PIN code for each user and establishing procedures to govern the release or disclosure of ePHI during an emergency.
    • Introduce a mechanism to authenticate ePHI – Confirms whether ePHI has been altered or destroyed in an unauthorized manner.
    • Implement tools for encryption and decryption – Authorized users must have the functionality to encrypt messages when they are sent beyond an internal firewalled server and decrypt those messages when they are received.
    • Introduce activity audit controls – Register attempted access to ePHI and record what is done with that data once it has been accessed.
    • Facilitate automatic logoff – Logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.

Physical Safeguards

The Physical Safeguards focus on physical access to ePHI irrespective of its location. Since ePHI can be stored in the cloud, on-site servers, or remote data centers, HIPAA compliance requires safegards against unauthorized access on workstations and mobile devices:

    • Facility access controls must be implemented – Procedures to record any person who has physical access to the location where ePHI is stored. The procedures must include safeguards to prevent unauthorized physical access, tampering and theft. Includes: Software engineers, cleaners and even a handyman.
    • Policies relating to workstation use – Devise and implement policies to restrict the use of workstations that have access to ePHI.Such as specify the protective surrounding of a workstation and govern how functions are to be performed on the workstations.
    • Policies and procedures for mobile devices – Devise and implement policies on mobile devices in the location to govern how ePHI is removed from the device before it is re-used.
    • Inventory of hardware – An inventory of all hardware must be maintained, together with a record of the movements of each item. Before any equipment is moved a retrievable exact copy of ePHI must be made.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. It requires assigning a Security Officer and a Privacy Officer to enact the measures and elements of a HIPAA compliance checklist while they also govern the conduct of the workforce.

The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure they are comprehensive and ongoing. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance. Take your HIPAA Compliance Risk Assessment.

The administrative safeguards include:

  • Developing a contingency plan – A contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
  • Testing of contingency plan –Periodically testing the contingency plan to assess the relative criticality of specific applications. There must be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
  • Restricting third-party access – It is the role of the Security Officer to ensure that ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
  • Reporting security incidents – The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is an addendum to HIPAA regulation which amended definitions, clarified procedures and policies and expanded the HIPAA compliance checklist to cover Business Associates and their subcontractors. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant and outlines the rules surrounding Business Associate Agreements (BAAs).

Any individual or organization that creates, receives, maintains or transmits Protected Health Information in the course of performing functions on behalf of a covered entity is a Business Associate. Business Associates include, but are not limited to: contractors, consultants, data storage companies, health information organizations and any subcontractors.

Business Associate Agreements are contracts that must be executed between a covered entity and business associate or two business associates before ANY PHI or ePHI can be transferred or shared. The details regarding BAAs are outlined in more depth in the sections below.

The Omnibus Rule amends HIPAA regulations in five key areas:

  1. Introduction of the final amendments as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  2. Incorporation of the increased, tiered civil money penalty structure as required by HITECH.
  3. Introduced changes to the harm threshold and included the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act.
  4. Modification of HIPAA to include the provisions made by the Genetic Information Nondiscrimination Act (GINA) to prohibit the disclosure of genetic information for underwriting purposes.
  5. Prevented the use of ePHI and personal identifiers for marketing purposes.

The definition of Business Associate was changed and what material is now classified as Protected Health Information (PHI). The term ‘workforce’ was amended to include employees, volunteers and trainees.

Covered entities must now:

  • Update Business Associate Agreements –Business Associate agreements must be updated to take the Omnibus Rule into account.
    Specifically, Business Associates are bound by the same Security Rule and Privacy Rule regulations as covered entities, and must implement appropriate technical, physical and administrative safeguards to protect ePHI and personal identifiers.
  • Issue new Business Associate Agreements – Before services provided by the Business Associate a new HIPAA-compliant agreement must be signed.
  • Update privacy policies – Privacy policies must include the Omnibus Rule definition changes. Specifically, the amendments relating to deceased persons, patient access rights to their ePHI and response to access requests. Policies should also reflect the new limitations of disclosures to Medicare and insurers, the disclosure of ePHI and school immunizations, the sale of ePHI and its use for marketing, fundraising and research.
  • Update Notices of Privacy Practices – NPPs must cover the types of information that require an authorization, the right to opt out of correspondence for fundraising purposes and must factor in the new breach notification requirements.
  • Train staff – Staff must be trained on the Omnibus Rule amendments and definition changes. All training must be documented.

HIPAA Breach Notification Rule

In the event of a data breach containing PHI or ePHI, the HIPAA Breach Notification rule is a set of standards that covered entities and business associates must follow. The rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach. The specifics of the HIPAA Breach Notification Rule are outlined below.

What is Required for HIPAA Compliance?

While electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. As healthcare providers and other entities dealing with PHI move to computerized operations, HIPAA compliance is more important than ever. HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

1 – Self-Audits – The HIPAA Security Officer´s main task is the compilation of a risk assessment to identify where ePHI is being used and to determine all of the ways breaches of ePHI could occur. HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant. It is only one essential audit that HIPAA-beholden entities are required to perform to maintain their compliance year-over-year.

Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

2 - Remediation Plans

Once covered entities and business associates have identified their gaps in compliance through self-audits, they must implement remediation plans to reverse compliance violations. Remediation plans must be fully documented and include calendar dates by which gaps will be remedied. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.

3 - Policies, Procedures, Employee Training

Based on HIPAA Rules, covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards. These policies and procedures must be regularly updated to account for changes to the organization with proper annual documented training for staff. Some topics of interest include: raising awareness of policies, and procedures governing access to ePHI and how to identify malicious software attacks and malware.

Learn About Online HIPAA Compliance Employee Training

4 - Documentation

Covered Entities and business associates must document ALL efforts they take to become HIPAA compliant. To pass strict HIPAA audits, this documentation is critical during a HIPAA investigation with HSS OCR.

5 - Business Associate Management

Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.

Learn about HIPAA compliant Business Associate Agreements

6 - Incident Management

If a covered entity or business associate has a data breach, they must document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.

Whats the Worst That Can happen?

A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.

Besides dealing with the theft and loss of data, your office must self report to HSS and may face fines depending on the severity of the violation. In addition, HIPAA requires you notify your patients of the violation and may require you to contact local news networks as well.

What is a HIPAA violation?

A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.

A HIPAA violation differs from a data breach. Not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.

Here’s an example of the distinction:

A DATA BREACH occurs when one of your employees has an unencrypted company laptop with access to medical records stolen.

A HIPAA VIOLATION occurs when the company whose laptop has been stolen doesn’t have a policy in place barring laptops from being taken offsite or requiring that they be encrypted.

In the event of a data breach, there are specific protocols that must be followed according to HIPAA regulation. The HIPAA Breach Notification Rule differentiates between two different kinds of data breaches and outlines how covered entities and business associates must respond in the event of a breach.

A Minor Breach affects fewer than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires HIPAA-beholden entities to gather data on all minor breaches that occur over the course of the year and report them to HHS OCR within 60 days of the end of the calendar year in which they occurred. Affected individuals must be notified that their data was involved in a Minor Breach within 60 days of the discovery of the breach.

A Meaningful Breach affects more than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires that Meaningful Breaches be reported to HHS OCR within 60 days of the discovery of the breach. Any affected individuals must be notified upon discovery of the breach. Local law enforcement agencies and local media agencies should be contacted in order to alert potentially affected individuals within the necessary jurisdiction.

All Meaningful Breaches that are reported to the HHS are posted on the Breach Notification Portal, or “Wall of Shame.” The HHS Wall of Shame is a permanent archive of all HIPAA violations caused by Meaningful Breaches that have occurred in the US since 2009. This searchable database is a consequence of a HIPAA violation that can permanently damage the reputation of health care organizations that experience a HIPAA violation.

In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. A $475,000 fine was levied against Presence Health for failure to properly follow the HIPAA Breach Notification Rule.

Fines range between $100-$50,000 per incident depending on the level of perceived negligence and are based on a sliding scale. If an organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical. With well over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before.

Common HIPAA violations

Some common causes of HIPAA violations are listed here:

  • Sending PHI to the wrong patient/contact
  • Social media posts
  • Stolen phone
  • Stolen laptop
  • Stolen USB device
  • Malware incident
  • Business associate breach
  • EHR breach
  • Office break-in
  • Ransomware attack
  • Hacking
  • Discussing PHI outside of the office

HIPAA Violations Categories

  • Access controls
  • Notice of Privacy Practices
  • Use and disclosure
  • Improper security safeguards
  • The Minimum Necessary Rule

Access controls limit the number of staff members at an organization that have access to PHI. Based on the roles and responsibilities of the employee in question, PHI access should be limited. Broad access controls lead to unnecessary risk. A health care organization that experiences a data breach due to improper HIPAA access controls can receive major fines for negligence.

Having a Notice of Privacy Practices is a mandatory standard of the HIPAA Privacy Rule. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment. HIPAA regulation mandates that covered entities must have their Notice of Privacy Practices posted in plain sight for patients to review, in addition to paper copies. Common HIPAA violations can result from a covered entity’s failure to properly disclose their Privacy Practices, or a breach thereof. Under the HIPAA Privacy Rule, patients have certain rights to the access, privacy and integrity of their health care data and PHI.

A Use and Disclosure violation occurs when a covered entity or business associate improperly distributes PHI or ePHI to an incorrect party. In May of 2017, Mount Sinai-St. Luke’s Hospital in New York City was fined $387,000. An HIV clinic within the hospital system sent a patients’ HIV status and medical records to their employer without receiving proper authorization. OCR investigated the incident and found that the improper use and disclosure of PHI constituted a HIPAA settlement and related fine.

Improper HIPAA safeguards can result in a HIPAA violation when the standards of the HIPAA Security Rule are not properly followed.  HIPAA-beholden entities must have proper Physical, Administrative and Technical safeguards in place to keep PHI and ePHI secure.

Medical data is worth three times as much as financial data on the black market. Unsurprising there has been an increase in attacks against health care organizations. HIPAA security safeguards can defend health care organizations against ransomware and prevent common HIPAA violations.

The Minimum Necessary Rule is a common cause of HIPAA violations. Essentially, employees of covered entities many only access, use, transmit or handle the minimum amount of PHI necessary to complete a given task. A violation of HIPAA’s Privacy Rule and the associated fines can arise if a large portion of a patient’s medical record is exposed to a data breach.

Seven Elements of an Effective Compliance Program

The Seven Elements of an Effective Compliance Program (PDF) is the absolute minimum requirements that an effective compliance program must address. Developed by the HHS Office of Inspector General (OIG), these elements give guidance for organizations to vet compliance solutions or create their own compliance programs.

The Seven Elements of an Effective Compliance Program are as follows:

  1. Implementing written policies, procedures and standards of conduct.
  2. Designating a compliance officer and a compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

The Seven Elements of an Effective Compliance Program is what a federal HIPAA auditor will compare your organization’s compliance program to over the course of a HIPAA investigation in response to a HIPAA violation.

How PCIHIPAA Protects You and Assists with HIPAA Compliance

$500,000 GUARANTEE + IDENTITY THEFT RESTORATION

Unlike other data protection services, we not only take the guesswork out of HIPAA compliance, we also guard your practice’s assets. With our $500,000 Data Breach, Privacy, and Network Security Insurance Program, you can have complete confidence that your practice will continue to thrive even if a violation or data breach occurs. A data breach or ransomware attack can cripple a practice, our program protects your practice from fines, breaches, cyber – attacks, business interruption and more.  And if your (or your family’s) personal identity gets stolen, we’ll assign a specialist to help you get it restored.

HIPAA COMPLIANCE PORTAL CUSTOM POLICY AND PROCEDURES

PCIHIPAA offers optimal HIPAA Security Risk Analysis and assessment tools. Our software service solutions enable your business and associates to become compliant with HIPAA, immediately eliminating any risk for violation.

Our software is formulated according to HIPAA protocol to provide a clear picture of your level of compliance. It eliminates any confusion and possibility for error.

Tailored to your business’ needs & budget, our HIPAA compliance software solution provides you with an ongoing & reliable compliance solution.

HIPAA RISK ASSESSMENT

There are several key steps PCIHIPAA goes through to assess risk. Our specialists are trained in HIPAA legal protocol & have developed a process to assess risk. We take every precaution necessary to ensure that your business is in complete compliance with all HIPAA guidelines.

First we identify all potential risks. We examine your unique business structure and its risks for HIPAA violation. Next, we examine potential vulnerabilities. For example, an older practice may rely on paper documents. Are these files in a secure location or are they easily accessible? How are documents with sensitive information disposed of?

We also determine the level of risk certain conditions create and the cost of altering or remedying those conditions. Switching an entire office to an electronic file management system to avoid compromised security, may not be necessary or worth the cost. Once impact and risk are determined, we consult with our client on how to best manage their communications & information sharing methods to protect both the patient & their practice.

HIPAA RISK SCORE

Based on your business’ communications & information sharing methods, our specialists calculate a HIPAA Risk Score. The score is based on how well your business is protecting the privacy and sensitive medical information of your patients. A poor score suggests major changes must be made in order to ensure the welfare of your patients & practice. A strong score is indicative of a practice that may need some minor changes but is already fairly compliant with HIPAA. Failure to assess your business against current HIPAA protocol is “willfully neglectful” and may incur violations and fines. We work with your business to ensure you are completely up to date with HIPAA regulations.

First we identify all potential risks. We examine your unique business structure and its risks for HIPAA violation. Next, we examine potential vulnerabilities. For example, an older practice may rely on paper documents. Are these files in a secure location or are they easily accessible? How are documents with sensitive information disposed of?

We also determine the level of risk certain conditions create and the cost of altering or remedying those conditions. Switching an entire office to an electronic file management system to avoid compromised security, may not be necessary or worth the cost. Once impact and risk are determined, we consult with our client on how to best manage their communications & information sharing methods to protect both the patient & their practice.

HIPAA DATA BACKUP

Does your business receive, store, process, or transmit ePHI (electronic protected health information)? If so, meeting the HIPAA data backup and recovery requirements is key. PCIHIPAA implements solutions for your business to satisfy the Contingency Plan Standard specifications for Data Backup and Disaster Recovery.

Ensuring your business is up to date with the Contingency Plan Standard doesn’t only assist with keeping you in compliance with HIPAA. It also backs up essential information that could otherwise become lost or misplaced in case of a severe system error. Safeguarding electronic protected health information (ePHI) is made easy with our Data Backup Solution.

Our software is formulated according to HIPAA protocol to provide a clear picture of your level of compliance. It eliminates any confusion and possibility for error.

Tailored to your business’ needs & budget, our HIPAA compliance software solution provides you with an ongoing & reliable compliance solution.

HIPAA EMAIL ENCRYPTION

Our industry standard HIPAA Email Encryption, encrypts all connections to yourcomputers and mobile devices. These connections are otherwise vulnerable to hacking-a prime way for sensitive health and financial information to become compromised. We encrypt webmail interfaces so you and your employees can securely access documents using any web browser. That means any sensitive information you send or receive will be 100% secure.

Ensuring your business is up to date with the Contingency Plan Standard doesn’t only assist with keeping you in compliance with HIPAA. It also backs up essential information that could otherwise become lost or misplaced in case of a severe system error. Safeguarding electronic protected health information (ePHI) is made easy with our Data Backup Solution.

Our software is formulated according to HIPAA protocol to provide a clear picture of your level of compliance. It eliminates any confusion and possibility for error.

Tailored to your business’ needs & budget, our HIPAA compliance software solution provides you with an ongoing & reliable compliance solution.

Take the First Step Towards HIPAA Compliance

Already Completed your HIPAA Risk Assessment?