What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It is a legislation that aims at making it easier for US workers to retain their health insurance coverage when they lose or change their jobs. HIPAA also seeks to improve the quality and efficiency of the healthcare system by encouraging improved information sharing through the use of electronic health records.

In addition to the use of electronic records, HIPAA also describes provisions for the security and privacy of Protected Health Information (PHI). This is arguably the most critical part of the legislation that most businesses have a tough time dealing with. While it is intended to prevent healthcare fraud and abuse, it is rather intimidating for businesses as it carries civil and criminal penalties for violations.

Before we begin to talk about compliance requirements and measures, let’s try to understand the legislation a little better.

PHI is any demographic information, which can be used to identify a patient. It includes a variety of health and health-related data such as Social Security numbers, full facial photos, billing information, insurance details, diagnosis data, lab results, clinical care data, etc. All PHI created, stored, or accessed comes under the purview of HIPAA regulations.

When any PHI is accessed electronically, it is called ePHI and is also regulated by HIPAA. This is a key focus area for most businesses that need to comply with HIPAA.

Who Needs To Be HIPAA Compliant?

Any organization that creates, collects, or transmits PHI including those organizations that handle the transmitted information are required to comply with HIPAA regulations. HIPAA identifies two types of entities that need to be compliant:

COVERED ENTITIES

Health care providers, health care clearinghouses, health insurance providers, etc. are examples of covered entities.

BUSINESS ASSOCIATES

HIPAA has defined the scope of business associates to include a wide range of service providers who may handle, transmit, or process PHI. Billing companies, EHR platforms, cloud storage providers, email hosting services, third-party consultants, etc. are some examples of business associates.

What Are The HIPAA Standards Or Rules?

HIPAA regulations are divided into several major standards or rules, which are as follows: 

1. Privacy Rule

The HIPAA privacy rule furnishes directives intended for the protection and privacy of the patients’ health information. It sets standards for the patients’ rights to their PHI. It defines the authorized uses and disclosures of PHI. The privacy rule sets the requirements for how the PHI should be controlled. It should be noted that this rule applies only to covered entities and not to business associates.

2. Security Rule

The Security Rule establishes a set of security standards intended to protect the health information, which is held or transferred in electronic form (ePHI). It puts into practice the protections established in the Privacy Rule by enforcing the technical and non-technical safeguards put in place by Covered Entities to protect the ePHI of clients.

The Security Rule lays down three types of safeguards:

• Administrative

• Physical, and 

• Technical

For each of the above safeguards, it furnishes mandatory as well as recommended specifications. The mandatory specifications must be implemented as directed by the rule. However, the recommended specifications are more flexible and organizations are free to determine how best to implement them. It is required to document your organization’s policies and procedures, to train your staff, and to maintain their records.

3. Transactions and Code Sets (TCS) Rule

The HIPAA Transactions and Code Sets Rule is intended to simplify the processes related to payment for healthcare services by requiring all health plans to engage in health care transactions in a standardized way.

4. Unique Identifiers Rule

The Unique Identifiers Rule requires all covered entities to use a unique 10 digit National Provider Identifier (NPI) for identification purposes. Covered entities such as hospitals, physicians, insurance companies, etc. must use the NPI. It is simply to identify covered healthcare providers in standard transactions and it doesn’t have any additional meaning.

5. Breach Notification Rule

The set of standards that covered entities and business associates are required to follow, in case of a data breach containing PHI or ePHI, is covered by the Breach Notification Rule.

You need to know the process to be followed in the event of a data breach:

• When to issue notifications

• Whom to notify of the breach

• When to notify the media, the Department of Health and Human Services (HHS), and the Office for Civil Rights (OCR)

• The timeframe for sending notifications, and

• The information the breach notification must include

6. Omnibus Final Rule

Originally the HIPAA regulations applied only to covered entities. In January 2013, HIPAA was updated via the Omnibus Final Rule, which expanded the scope of HIPAA to include business associates. This rule also brought changes to the Security Rule and Breach Notification portions of the HITECH Act.

The Omnibus Final Rule requires the business associates of covered entities to be HIPAA compliant. It also lays out the rules for the Business Associate Agreements, which are basically contracts that need to be signed between a covered entity and their business associate or between two business associates before any PHI or ePHI can be shared or transferred.

7. HITECH Act

The HITECH Act was implemented to encourage the adoption of electronic health records among healthcare providers and to improve the privacy and security of healthcare data. This was done using financial incentives as well as increased penalties for violations of the HIPAA Privacy and Security Rules.

Subtitle D of the HITECH Act deals with the privacy, security, and breach notification requirements in relation to electronic transmission of health information and strengthens the civil and criminal enforcement of the HIPAA regulation.

What Are The Requirements For HIPAA Compliance?

Here’s a list of action items that will help you to become HIPAA compliant:

1. Documentation

Documentation is the first step in preparing for any audit. HIPAA requires organizations to maintain thorough documentation of their compliance efforts.

The documentation is not only critical for HIPAA audits but also gives you invaluable insight into your organization’s preparedness and further efforts required for achieving compliance.

2. Policies, Procedures, Employee Training

HIPAA compliance requires organizations to develop policies and procedures consistent with HIPAA regulatory standards. These policies and procedures are not static and need to be reviewed and updated to reflect changes in the regulations as well as in the business operations, if any. In addition, organizations are also required to organize annual training on their policies and procedures and to maintain formal records of those training.

3. Internal Audits

Annual security audits are a requirement for HIPAA compliance. These audits must assess the Administrative, Physical, and Technical safeguards with respect to HIPAA Privacy and Security standards, and highlight any gaps in compliance. The internal audits are separate from the external audits.

The HHS Office for Civil Rights performs audits of covered entities and their business associates. These external audits review the policies and procedures adopted and employed to meet the standards and implementation specifications as defined in the various HIPAA Rules. These audits are performed using predefined audit protocol that is publicly available.

4. Remediation Plans

If any gaps are identified in the internal audit, the organization must put into practice plans for the remediation of the compliance violations. Don’t forget to document the remediation plans including the outcome of the remediation process.

5. Business Associate Management

Your organization is required to document all vendors with whom you share PHI and ensure that they handle the PHI securely through the Business Associate Agreements (BAA). The BAAs must be executed before sharing or transferring any PHI. You also need to review the BAAs annually to ensure that they are consistent with any changes that may have occurred in your business relationship with your business associates.

6. Incident Management

HIPAA compliance requires organizations to document all security incidents. Note that this is different from the Breach Notification Rule, which deals with actual breaches. Security incidents, on the other hand, don’t necessarily result in breaches. For example, these can be hacking or unauthorized access attempts that were stopped internally before data was breached. You should have a formal process for reporting and management of security incidents and your staff should recognize and report all such occurrences.

What Constitutes A HIPAA Violation?

Any incident that compromises the privacy, safety, and integrity of PHI or ePHI is deemed a HIPAA violation. It is important to understand that not all data breaches are HIPAA violations. A data breach is considered a HIPAA violation only when the breach is due to a lapse in your HIPAA compliance program, policies, or procedures.

Here’s an example of HIPAA violation- A data breach occurs when there's a theft of an unencrypted company laptop that has access to medical records. A HIPAA violation results from this if your company doesn’t have a policy for laptop encryption.

Fines for violation range from $100 to $50,000 per incident and depend on the level of negligence perceived by the auditors. If it is detected that there was continued negligence towards HIPAA compliance, the fine can be severe. For example, in the first instance of HIPAA enforcement action, Presence Health was fined $475,000 for a lack of timely breach notification.

What Does Being HIPAA Compliant Mean?

Becoming HIPAA compliant means that you adhere to and can demonstrate your commitment to the safeguards outlined in HIPAA. It means that you have policies and procedures in place to satisfy the Safety, Privacy, and Breach Notification Rules prescribed by HIPAA. In addition, you need a continual process of evaluation of implemented measures, training of staff, and ensuring compliance of business associates in order to create and sustain a culture of compliance within your organization.

HIPAA compliance standards can be overwhelming and if you have to deal with all the technical aspects of it, it can be an absolute nightmare. Given the complex matrix that technical infrastructure, cloud storage, third-party applications, and compliance requirements create, having a trusted technology partner is essential to ensure your practice remains secure and compliant. By partnering with Jones IT, rest assured, your organization will no longer be exposed to the risks associated with IT that's not HIPAA compliant.

If you liked the blog, please share it with your friends