What is HIPAA?
HIPAA compliance importance: It is important to note that the Health Insurance Portability and Accountability Act (HIPAA) Security Rule of 1996 established standards for protecting individuals’ electronic personal health information (PHI). This includes any identifiable health information, such as medical records and histories, medical bills, and lab results, among others. A covered entity, including healthcare providers, health plans, and healthcare clearinghouses, is responsible for creating, receiving, using, or maintaining these records.
While the rule was passed into law in 1996, businesses should pay close attention to it today. OCR announced in 2017 that it would investigate HIPAA breaches affecting 500 or fewer individuals more broadly. Despite the fact that small breaches can occur in organizations of any size, the announcement serves as a reminder to those at the smaller end of the scale that when it comes to a HIPAA breach, no size is irrelevant.
Does your business need to be HIPAA compliant?
It is required for your business to be HIPAA compliant if it currently handles PHI or if it wishes to work with healthcare companies. You will need to demonstrate that your business has policies in place to protect PHI as well as the ability to handle the data that your clients have trusted to you safely and securely.
HIPAA is primarily applicable to covered entities. Health care organizations and individuals are included in the list of covered entities.
Healthcare providers
In the first category, healthcare providers include professionals such as doctors, psychologists, nursing homes, and pharmacies. HHS has adopted a standard for electronic transactions that only covers these groups if they transmit any information electronically.
Health plans
A second category, health insurance plans, includes health maintenance organizations (HMOs), company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and military/veteran benefits.
Healthcare clearinghouses
The third and final group, the healthcare clearinghouse, includes organizations that convert nonstandard health information received from other entities into standard forms (e.g., standard electronic formats or data content).
HIPAA extends to business associates
Furthermore, covered entities may disclose PHI to business associates as long as they have an agreement in place stating what they intend to do with the data and that they will be required to protect the confidentiality and security of the PHI they are permitted to access.
HHS defines a HIPAA business associate as any individual or entity performing functions or activities that involve using or disclosing protected health information on behalf of or on behalf of a covered entity. Specifically, if your company processes personal health information (PHI) for a customer who falls under HIPAA regulations, you are considered the customer’s business associate (BA). Payment processing and activities related to health care operations are common responsibilities of business associates.
You will be required to enter into a HIPAA-compliant Business Associate Agreement (BAA) with your customer if you are a SaaS company or cloud service provider (CSP) that works with or wishes to work with businesses that handle protected health information (PHI). You will also need to follow all applicable HIPAA regulations. If you are unclear about business associate agreements and your compliance obligations under HIPAA, read the following article to learn how to stay in compliance when working with companies that handle protected health information.
HIPAA auditing and enforcement
Organizations are audited by the Office of Civil Rights (OCR) of the Department of Health and Human Services to ensure that HIPAA is being followed. The OCR began collecting contact information for covered entities as part of its second phase of its audit program in 2016. As well as collecting questionnaires regarding the size, type, and operation of each covered entity, they used these questionnaires to gather a pool of potential organizations for auditing. OCR selects auditors at random.
What are the consequences of violating HIPAA?
A violation of HIPAA may result in both a financial penalty and a corrective action plan being issued by the OCR. Depending on the knowledge of the breach, financial penalties are imposed for HIPAA violations. A violation may be classified as Tier 1, which indicates a violation which was unaware of and could not reasonably be avoided, or Tier 4, which indicates a violation that was known to the covered entity but was not attempted to rectify. Inflation-adjusted fines are applied to each tier on an annual basis. Each tier of fines in 2019 was as follows:
Tier 1: A minimum fine of $117 per violation is imposed up to $58,490
In Tier 2, there is a minimum fine of $1,170 per violation with a maximum fine of $58,490
Tier 3: Minimum fine of $11,698 per violation, maximum fine of $58,490
Tier 4: If a violation occurs, a minimum fine of $58,490 will be imposed, up to $1,754,698.
HIPAA serious violations are taken seriously by the OCR, as demonstrated by the $3 million fine it imposed on the University of Rochester Medical Center in 2019 for a variety of violations, including the failure to encrypt mobile devices. You can protect yourself even if you unintentionally violate HIPAA by implementing a strong compliance program. The difference between a bump in the road and potentially crippling financial penalties can be determined by the thoroughness and continuous updating of a compliance program.
What are the key requirements of HIPAA?
Three core requirements must be met by covered entities. In order to ensure compliance with these three requirements, HIPAA-compliant organizations implement all necessary controls and safeguards.
The Privacy Rule:
PHI is protected by HIPAA. It sets limits and conditions on the use and disclosure of medical records and other protected health information without the patient’s consent in accordance with HIPAA’s privacy rule. The rule also grants patients the right to obtain a copy of their health records and request that their personal health information be corrected by their providers.
The Security Rule:
Businesses covered by HIPAA are required to establish security standards to protect electronic protected health information (ePHI). An entity that is covered by these standards may create, receive, use, or maintain ePHI on behalf of themselves, or by their business associates. This rule stipulates that “appropriate administrative, physical, and technical safeguards have to be put in place to protect the confidentiality, integrity, and security of electronic protected health information.” In the following section, this rule is explained in more detail.
Notification in Case of Breach of Unsecured Protected Health Information:
Despite the fact that security safeguards are designed to prevent breaches from occurring, HIPAA-compliant organizations must notify certain parties if they suffer a breach of unsecured information depending on the nature and size of the breach. These parties include individuals, the media, and the Secretary.
A breach is defined by OCR as “an impermissible use or disclosure that compromises the security or privacy of protected health information under the Privacy Rule.” Therefore, breaches do not only include those resulting from hackers or malware, but also those resulting from employees disclosing or leaving information accessible to unauthorized users.
How to satisfy the HIPAA security rule
The HIPAA security rule has three parts:
It is important to maintain technical, physical, and administrative safeguards. Every component of this system has its own set of specifications, which are either considered mandatory or addressable.
Please note that an addressable specification does not mean you can ignore it – it simply means that there is some flexibility with respect to safeguard implementation. Alternatively, organizations may not implement an addressable safeguard if it is not reasonable for them to do so. It is imperative that you document the decision and be prepared to justify it in the event that an audit is conducted.
Technical safeguards:
ePHI is protected and accessed using the technology in this category. Organizations can implement any safeguards that are appropriate for their organization, with the exception of encrypting electronic protected health information (all electronic protected health information must be encrypted as per NIST guidelines once it leaves your internal servers).
Covered entities are required to comply with the following technical safeguards:
- Access control should be implemented
- Establish a mechanism for authenticating ePHI
- Encryption and decryption tools should be implemented
- Audit controls and activity logs should be introduced
- Ensure that PCs and devices are automatically logged off
HIPAA physical safeguards require physical access to the electronic protected health information wherever it is stored, whether it is in a data center, cloud-based storage, a covered entity’s physical location, or elsewhere. Standards are outlined for the physical protection of electronic personal health information.
The physical safeguards include requirements for:
- Controls for facility access
- Policies regarding the use and positioning of workstations
- Policy and procedure for mobile devices
- Inventory of hardware
Administrative safeguards:
Those policies and procedures govern your organization’s conduct and integrate the privacy and security rules into one set of policies and procedures. Ensure these safeguards are implemented by assigning a dedicated security officer and privacy officer in accordance with HIPAA.
A number of administrative safeguards are required, including:
- Assessing the risks
- Establishing a risk management policy
- Providing security training to employees
- Planning for contingencies
- Continuity plan testing
- Limiting access to third parties
- Incidents relating to security
How does HIPAA fit into your overall compliance program?
In spite of the fact that HIPAA covers a particular type of information, the controls and safeguards required to protect electronic protected health information are similar to those required under other cybersecurity compliance frameworks. Certain HIPAA requirements may already be met if your organization has a robust information security program.
In reverse, if you are already compliant with HIPAA and are seeking compliance with other privacy standards, such as SOC 2, ISO27K, or CCPA, your HIPAA-compliant policies and safeguards will likely give you a significant advantage. HIPAA compliance requirements that overlap with requirements in other data security frameworks include access control, mobile device usage policies, risk management policies, and employee training.
When should you consider HIPAA compliance?
You must become HIPAA compliant before you accept or work with any PHI from clients if you wish to do business with HIPAA-covered entities. The OCR will expect you to be able to demonstrate HIPAA compliance if there is a data breach or a client audit identifies you as a business associate. You could face steep penalties if you accept PHI from a covered entity without complying with HIPAA regulations, as we discussed earlier.
Don’t wait until you are courting a client to think about compliance if you are interested in doing business with covered entities. Most likely, your competitors will be compliant if you are not.
HIPAA vs. HITRUST: What’s the Difference?
Unlike some data security frameworks, no HIPAA certification is obtained after an OCR audit: you are simply either found to be in or out of compliance. The Health Information Trust Alliance (HITRUST), a group of healthcare industry leaders, has developed a certification system that assists organizations in becoming compliant with HIPAA and other regulations. Upon becoming compliant with HIPAA and other frameworks, such as PCI and NIST, the CSF provides a standardized, voluntary compliance framework.
An organization can demonstrate compliance with HIPAA by obtaining CSF certification and demonstrate to their clients that they take data security compliance seriously. Nevertheless, obtaining the HITRUST CSF certification can be time-consuming and expensive, so many organizations choose not to pursue it unless their potential clients require it.
Tips for Getting Started with HIPAA
You should have a plan in place if your organization is just starting its compliance journey, or if HIPAA compliance is a first-time experience for your organization. It is essential that you determine what security measures need to be implemented, how your organization will implement these measures and controls, and what controls will be tested and monitored regularly. Take proactive measures to safeguard your data before an issue arises – don’t wait for a problem to arise.
If your organization suffers a data breach, you must notify certain parties, such as individuals, the media, and the Secretary, depending upon the type and extent of the breach.
Record audit trails:
During your internal and external audits, keep records of your activities, including what documentation you are pulling, what processes you are evaluating, and the findings of each audit. Audits provide a snapshot of your HIPAA compliance process at a particular point in time, and keeping track of your discoveries can assist you in identifying what you need to address and what processes are working as intended.
Have dedicated staff and resources:
Compliance requires dedicated staff and resources in order to be successful. It may be tempting for startups, small businesses, or companies that do not recognize the value of proactive compliance programs to add compliance responsibilities to existing employees. Despite this, a successful compliance program requires knowledgeable and dedicated staff, as well as resources to support them.
Get leadership’s buy-in:
As with any corporate value or program, compliance must come from the top down in order to be successful. It is invaluable to have the leadership’s buy-in, and it will make all the difference in the world. As a result of their support, your compliance program will be more likely to have the dedicated staff and resources we discussed above and will be a priority for everyone in the organization, not just compliance personnel.
Maintaining compliance with HIPAA
HIPAA compliance is not something you can achieve once and then forget about. Due to the constant evolution of cyber security threats, if compliance is not prioritized, your compliance program will quickly fall behind and fail to safeguard your business. Maintaining compliance requires a maintenance plan once compliance has been achieved.