No one should compromise on health and safety, and this is what HIPAA ensures.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to provide patients with better access to their health information and to regulate its protection. Over the years, HIPAA has evolved to create data breach notification requirements and determine the entities it applies to.
If you work in healthcare, people often talk about HIPAA, but what is it, and how can you meet its requirements?
What is the Health Insurance Portability and Accountability Act?
The Health Insurance Portability and Accountability Act (HIPAA) describes the proper use and disclosure of protected health information (PHI), how it should be secured, and what to do in the event of a breach. The Department of Health and Human Services (HHS) regulates HIPAA, while the Office for Civil Rights (OCR) enforces compliance.
When a complaint of non-compliance is filed against a healthcare organization, the OCR investigates the organization to determine whether the claims are true. If the organization is found to have violated HIPAA, fines and corrective actions may be imposed.
The three rules of the Health Insurance Portability and Accountability Act
The HIPAA regulation consists of three main rules. The HIPAA Privacy, Security, and Breach Notification Rules provide guidelines for healthcare organizations to share information, protect sensitive patient information, and respond to and report a breach.
HIPAA Privacy Rule
HIPAA Privacy Rule primarily focuses on using and disclosing protected health information. The use and disclosure of PHI are only permitted for specific reasons, such as treatment, payment, and healthcare. Any other use or disclosure requires prior written consent from the patient.
The HIPAA minimum standard also requires that access to PHI be restricted. Access to PHI should only be granted to employees who need it for their job. This access should also be limited to the information necessary to perform their job functions.
For example, an administrative assistant might need access to some patient information to schedule an appointment. This employee would likely need to know the patient's name, contact, insurance information, and in some cases, basic procedural information to determine the appointment's duration. They won’t need access to the full patient file.
Your Notice of Privacy Practices (NPP) must clearly outline how your organization uses and discloses patient information. It also should discuss patients' rights concerning their information. Patients should be provided with an NPP for review upon intake.
Patients' rights (HIPAA right of access) are also addressed in detail in the Privacy Rule. The HIPAA Right of Access standard requires healthcare providers to provide patients with access to their medical records upon request. Requested records must be made available to the patient within 30 days of the request. Patients also have the right to receive their records in the format they requested when applicable.
HIPAA Security Rule
The HIPAA Security Rule requires that PHI's confidentiality, integrity, and availability be maintained. Essentially, this means that healthcare organizations must protect the privacy of PHI and prevent its alteration or destruction without authorization. HIPAA safeguards help achieve optimal data security.
What are HIPAA safeguards?
HIPAA safeguards are administrative, technical, and physical measures taken to prevent unauthorized access, use, or disclosure of PHI.
Administrative safeguards are policies and procedures that provide employees with guidelines for properly using and disclosing PHI. They also outline HIPAA training and security risk assessment requirements for employees.
Technical safeguards are measures to protect electronic PHI (ePHI). Common examples of technical safeguards include encryption, user authentication, access controls, and audit controls.
- Encryption: encodes data so that unauthorized entities cannot read the information.
- User authentication: provides each user with a unique user ID to access your organization’s network.
- Audit controls: allow administrators to easily monitor suspicious activity on a network, such as a user accessing a network from a suspicious location or multiple failed login attempts by an individual user.
- Access controls: allow administrators to designate different access levels to patient information based on the employee’s job role.
Physical safeguards, such as locks and alarm systems, protect an organization's physical location.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered companies and business associates to report PHI breaches.
Not all incidents are breaches. Common examples of breaches include hacking incidents, unauthorized access to PHI, disclosure of PHI to an unauthorized party, theft or loss of paper records, and theft or loss of unencrypted portable electronic devices.
For example, theft or loss of an encrypted laptop is not a breach as the information cannot be accessed. If the information on the laptop wasn't secure and became accessible to unauthorized persons, it would be a breach.
Patient data breaches are mandatory to be reported. The breached organization must notify the affected patients in writing within 60 days of the discovery of the incident. Organizations must also report the breach to the Department of Health and Human Services (HHS).
If the incident affects fewer than 500 patients, organizations have up to sixty days after the end of the calendar year to report it to HHS. If the incident affects 500 or more patients, organizations must report it to HHS 30 days after discovery. Violations affecting 500 or more patients must also be reported to the media.
What information does HIPAA protect?
HIPAA protects patient information, known as Protected Health Information (PHI). PHI is defined as any individually identifiable health information associated with the past, present, or future provision of health care.
Electronically protected health information (ePHI) is PHI stored in an electronic format, such as on a laptop or in an electronic health records platform. ePHI must also be protected under HIPAA.
18 HIPAA identifiers
The Department of Health and Human Services (HHS) classifies protected health information into 18 unique identifiers. Each of the 18 identifiers is considered a PHI if it’s associated with the provision of health care services.
Source: Compliancy Group
The following are the 18 HIPAA identifiers:
- Patient names
- Geographical elements, such as a street address, city, county, or zip code
- Dates related to the health or identity of individuals, including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full-face photographic images
- Other identifying numbers or codes
Who needs to be HIPAA compliant?
A common misconception is that HIPAA applies when health information is accessed or disclosed. While HIPAA restricts the use and disclosure of PHI, HIPAA only applies to organizations involved in treatment, payment, or healthcare operations. These organizations are called "covered entities" and "business associates".
Organizations with the potential to access PHI or ePHI must be HIPAA compliant.
Covered entities include healthcare providers, insurance companies, and clearing houses. Doctors, dentists, mental health professionals, chiropractors, and health insurance providers are all covered entities.
Business associates are vendors contracted by a covered entity that may have access to PHI. Electronic health record (EHR) platforms, email service providers, online appointment schedulers, and managed service providers are common examples of business associates.
How to be HIPAA compliant
HIPAA compliance involves several steps. It’s rather a pass or fail. You’re compliant, or you’re not. You need to meet the requirements of each step to be HIPAA compliant and complete some of these requirements annually.
Source: Compliancy Group
Conduct Security Risk Assessments, identify gaps, and incorporate remediation plans
Security Risk Assessments (SRAs) are essential to meeting your HIPAA requirements. To be HIPAA compliant, you must complete a HIPAA Security Risk Assessment annually. This is because SRAs measure your current protections against HIPAA standards. A gap occurs when your current work isn’t sufficient to meet HIPAA standards.
“Gaps” are deficiencies that can result in HIPAA breaches and violations. This is where remediation plans come into play. Remediation plans create actionable steps to close compliance gaps. To be effective, remediation plans must be specific, including what will be done to close the gap, who’s responsible for remediation, and a timeline for remediation.
Implement policies and procedures
Policies and procedures must be designed with the three HIPAA rules in mind. Policies and procedures should adapt to the type and size of an organization and be reviewed and updated annually to be effective.
Policies and procedures outline:
- The proper uses and disclosures of PHI by your organization and employees
- How your organization secures PHI
- What to do in the event of a breach or suspected breach
In the past, organizations have used HIPAA manuals for their policies and procedures. However, because HIPAA manuals are out of the box, they fail to address the nuances of how your organization operates.
Policies and procedures appropriate for a small medical practice may not be effective for a large hospital group, just as policies and procedures written for a covered entity may not be applicable to a business associate.
Conduct HIPAA training for employees
Employees with potential access to PHI or ePHI need to be trained annually. Training should include HIPAA best practices, an overview of your organization's policies and procedures, and cybersecurity best practices.
HIPAA advises that employees should be trained when they’re hired, so holding a training course once a year isn’t enough. A flexible HIPAA employee training program is essential to meet training needs.
Using an online training tool is the best way to achieve this. With an online training program, employees can be assigned training when needed, complete their training at their own pace, and administrators can track employee progress.
Tip: Using a standalone HIPAA training program can help you meet some HIPAA training requirements, but be sure that employees are also trained on your organization’s policies and procedures.
Sign business associate agreements
HIPAA business associate agreements (HIPAA BAAs) are legal contracts that must be signed between a covered entity and its business associate (or between two business associates). HIPAA BAAs should be signed before exchanging PHI or ePHI. Not every vendor is willing or able to act as a business associate; if the provider doesn’t sign a BAA, it cannot fulfill any business associate duties.
Let’s say you’re looking for an online appointment scheduler that allows patients to book their own appointments. You find a vendor that meets your administrative needs, but it doesn’t want to sign an affiliate agreement. You cannot contract with this provider for patient scheduling until they sign a BAA.
Incident management and response
Part of HIPAA compliance is implementing a tested incident response plan. You can quickly identify, respond to, and report incidents with an incident response plan. Organizations with a tested incident response plan dramatically reduce the time it takes to recover from an incident while lowering its costs.
HIPAA violations and fines
While many breaches result in HIPAA violations, the breach itself is never the reason a company is fined. HIPAA violations occur when an organization fails to comply with HIPAA standards. HIPAA fines may be imposed based on the severity of the violation.
Source: Compliancy Group
Common examples of HIPAA violations include failure to:
- Conduct an accurate and thorough risk assessment
- Provide patients with timely access to their medical records
- Properly respond to online patient reviews
- Have a signed business associate agreement with a business associate
- Properly dispose of patient medical records
So, when would an organization be fined for a violation?
HIPAA fines are issued based on the level of perceived negligence.
- Tier 1 is for the least serious infractions. Tier 1 penalties are imposed when a HIPAA violation occurs because a covered entity or business associate was unaware of the rule it violated. To qualify as a Tier 1 penalty, the violation must also be a violation that couldn’t have been avoided had an organization used reasonable diligence to comply with HIPAA. Fines at this level range from $120 to $60,226 per violation.
- Tier 2 violations occur when a covered entity or business associate is aware of the committed violation. To qualify as a Tier 2 violation, the violation is one that could have been avoided even with a reasonable degree of care. Fines at this tier range from $12,045 to $60,226 per violation.
- Tier 3 violations are considered more serious than Tier 1 or Tier 2 and are subject to more costly fines. Tier 3 violations stem from willful neglect of HIPAA. To be considered a Tier 3 violator, the organization should know that it violated HIPAA while conducting due diligence. These violations must be corrected within 30 days to qualify as Tier 3 violations. Fines at this level range from $1,205 to $12,045 per violation.
- Tier 4 violations involve willful neglect of the HIPAA rules. OCR imposes Tier 4 penalties when the covered entity or business associate has not attempted to remediate the violation. Fines at this level range from $60,226 to $1,806,757 per violation.
Organizations found violating HIPAA are often subject to OCR monitoring and corrective action. Corrective action plans are developed by OCR upon completion of HIPAA violation investigations when organizations identify deficiencies. They’re designed to prevent further violations and incidents by aligning the organization's compliance program with HIPAA standards.
Stay compliant; stay secure
The Health Insurance Portability and Accountability Act should be a top priority for any organization involved in healthcare (covered entity or business associate). Simply put, to work in healthcare, you must be HIPAA compliant.
Without HIPAA, patient data is vulnerable to unauthorized use and disclosure. When a breach occurs, patients not only lose confidence in an organization's ability to protect their confidential information, but it can also result in HIPAA violations and costly fines.
By implementing an effective HIPAA compliance program that meets all HIPAA standards, you improve your overall security posture and reduce the likelihood of breaches and violations.
Patients are now more aware of HIPAA and their rights. HIPAA compliance gives them peace of mind that they can trust you with their sensitive information.
Privacy management doesn't end with obtaining one type of compliance. Know everything about data privacy management and keeping your organization secure.