What is HIPAA Compliance?
PCIHIPAA offers a simple guide to bring you up to speed when asking “What is HIPAA compliance and what does my practice have to do to stay compliant?”
For medical practices, the most difficult part of following the various HIPAA laws and guidelines is that they’re fairly complex. At the same time, these guidelines are purposefully vague, written to encompass a broad span of practices and the various business associates they associate with. And to make matters worse, failing to comply with HIPAA laws can lead to significant fines and – in some cases – even hefty jail time.
A Simplified Overview for Medical Practices. Let’s begin.
The 5 W’s of HIPAA Compliance
HIPAA compliance in its simplest form involves the following:
Who: Healthcare practices, their patients, and the various vendors they do business with.
What: Patient information must be protected and only accessed with proper authorization.
Where: In healthcare offices and across their communication networks
Why: Patients data can be accessed by cybercriminals or those with malicious intent, causing harm to patients and healthcare providers (i.e. identity fraud, ransomware, etc.)
How: Practices must provide adequate training for their staff and implement security measures to protect patient data from ending up in the wrong hands.
Now that we have the basics out of the way, let’s dive a little deeper into the overview of what is HIPAA, HIPAA laws, and more.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act, which was enacted by Congress in 1999. HIPAA was designed to address technological changes and create a set of standards for sensitive patient data information.
As healthcare has evolved since then, HIPAA has been expanded with a variety of guidelines that incorporate best-practices that every medical practice should perform – especially as the Internet and digital health records have become the new standard. These medical records are known as PHI (Protected Health Information) and ePHI (Electronic Protected Health Information) – and keeping this sensitive information protected is the main purpose of HIPAA.
Since its enactment, there have been many addendums to HIPAA laws and guidelines. These include:
- HIPAA Privacy Rule – Expands access to patient data and patients rights
- HIPAA Security Rule – Outlines standards for the integrity and safety of PHI/ePHI that must be in place in any healthcare organization
- HIPAA Omnibus Rule – Mandates that business associates must be HIPAA compliant and outlines the rules surrounding Business Associate Agreements (BAAs).
- HIPAA Breach Notification Rule – A set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI.
These rules set forth policies and procedures healthcare providers must utilize in their offices to ensure PHI is protected. And as more rules are added to HIPAA laws, medical practices must be aware of what changes are necessary to stay compliant.
Who Enforces HIPAA?
HIPAA laws and compliance are regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Violations of the guidelines often require affected entities to take immediate action to rectify any data leaks of PHI, as well as provide adequate training and security measures in good faith to avoid violations. Even if your medical practice wasn’t responsible for a data breach or was the victim of a cyberattack, healthcare providers are still liable – or face penalties or completely shutting their doors until the matter is resolved.
What Does My Healthcare Practice Have to Do for HIPAA Compliance?
HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.
1) Self-Audits: HIPAA requires healthcare practices and their business associates to conduct annual audits of their organization to assess Administrative, Technical and Physical gaps in compliance with HIPAA Security and Privacy standards.
Enter your info to start your free consultation today!
2) Remediation Plans: Once healthcare practices and their business associates have identified their gaps in compliance through self-audits, they must implement remediation plans to reverse compliance violations. Remediation plans must be fully documented.
3) Policies, Procedures, Employee Training: Healthcare practices and their business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards. These policies and procedures must be regularly updated to account for changes to the organization with proper annual documented training for staff.
4) Documentation: Healthcare practices and their business associates must document ALL efforts they take to become HIPAA compliant.
5) Business Associate Management: Healthcare practices and their business associates must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements (BAAs) to safeguard PHI. BAAs must be executed before ANY PHI can be shared and must be reviewed annually to account for changes.
6) Incident Management: If a covered entity or business associate has a data breach, they must document the breach and notify patients that their data has been compromised.
Seven Elements of an Effective Compliance Program
Developed by the HHS Office of Inspector General (OIG), there are seven guidelines and best-practices to ensure compliance along HIPAA laws. These are called “The Seven Elements of an Effective Compliance Program” and are the absolute minimum requirements that your practice’s compliance program must address.
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and a compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
While these may seem vague and non-specific, the truth is that if a violation should occur, these seven guidelines comprise what a federal HIPAA auditor will compare your organization’s compliance program if you are part of a HIPAA investigation.
What Happens If My Practice Violates HIPAA Laws and Guidelines?
There are two different types of HIPAA violations: civil and criminal.
- Civil HIPAA violations: Given out if the individual that committed the violation did so without any malicious intent. This can include either neglect or lack of awareness that their actions were wrong.
- Criminal HIPAA violations: If individuals that committed the HIPAA violation were determined to be acting with malicious intent, the violation leads to larger financial penalties and significant time in jail.
|Civil HIPAA Violation||Penalty|
|The individual was not aware that they were committing a HIPAA violation||$100 per violation|
|The individual had reasonable cause for their actions and did not act with willful neglect||A minimum of $1,000 per violation|
|The individual was acting with willful neglect, but then fixed the issue||A minimum of $10,000 per violation|
|The individual was acting with willful neglect and did not fix the issue||A minimum of $50,000 per violation|
|Criminal HIPAA Violation||Penalty|
|The individual knowingly obtains and discloses PHI||
|The individual commits violations under false pretenses||
|The individual commits the violation for personal gain (i.e uses PHI to harm the patient or for personal gain)||
What Information is Protected Under HIPAA Law?
HIPAA laws protect all PHI that is transmitted or held by a healthcare practice or business associate. According to the HHS OCR, there are 18 identifiers that make health information personally identifiable and therefore protected under HIPAA law:
- Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
- Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate and license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Website URLs
- IP addresses
- Biometric identifiers, including fingerprints, voice prints, iris and retina scans
- Full-face photos and other photos that could allow a patient to be identified
- Any other unique identifying numbers, characteristics, or codes
Bear in mind that HIPAA permits PHI/ePHI to be used for healthcare operations, treatment purposes, and in connection with payment for healthcare services. Healthcare practices that do business or transmit information with 3rd parties (known as Business Associates) must obtain a Business Associate Agreement (BAA). Furthermore, this information can only be disclosed in accordance with the Minimum Necessary Requirement – which means that only the minimum amount of information needed should be used to transmit patient data between practices and vendors.
However, PHI can be used by medical practices for a number of reasons:
- For marketing purposes
- Provided to research organizations
- Sold by a healthcare organization
In order to do so, there are two options that must be taken:
- A written HIPAA authorization must be obtained from a patient. This authorization must specifically state the purpose for the usage of the PHI/ePHI that would not otherwise be permitted under HIPAA.
- The PHI/ePHI must be stripped of all identifying information that can be traced back to a patient.
How PCIHIPAA Helps Your Practice with HIPAA Compliance
If you’ve made it this far, congratulations! You now have a basic understanding of what HIPAA compliance is, what information needs to be protected, how to protect it, and more. Nevertheless, it still is a complex undertaking for many medical practices.
That’s why 1,000’s of medical practices trust PCIHIPAA to simplify HIPAA compliance and exceed all of the minimum requirements set forth by HHS OCR. By using PCIHIPAA’s intuitive platform OfficeSafe, your healthcare practice will:
- Protect its PHI/ePHI from cybercriminals and unauthorized access
- Monitor potential vulnerabilities in networks
- Train staff through easy-to-understand HIPAA compliance modules
- Create policies and procedures in accordance with HIPAA guidelines
- Data backup
- Email encryption
- Risk Assessments
- And more
Learn more about PCIHIPAA and take the first step towards HIPAA Compliance today!