What is HIPAA Compliance?
HIPAA compliance, to put it simply, means that an organization meets all the requirements of the law as regulated by the US Department of Health and Human Services. In order to understand the core concepts of compliance, we have created this guide to assist you along your path to compliance.
HIPAA (Health Insurance Portability and Accountability Act) was signed into law in 1996. The original intention of the law was to help more Americans gain health insurance coverage and to ensure that employees would not lose their health insurance if they changed jobs. The act also allowed the Department of Health and Human Services (HHS) to set standards for the safeguarding of Protected Health Information (PHI), standards which were later defined and expanded via the passage of the HIPAA Privacy Rule, Security Rule, HITECH (Health Information Technology for Economic and Clinical Health) Act, as well as other expansions of the original HIPAA law.
HIPAA regulations are quite complex with far-reaching consequences, but the act can also be very confusing because it does not provide clear directions for how to achieve compliance. HIPAA Compliance can be thought of as a moving target, with different requirements for different organizations based upon the available resources to secure and safeguard protected health information.
What is Protected Health Information?
Protected Health Information, or PHI, is any personal health information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment. PHI can include:
- The past, present, or future physical health or condition of an individual
- Healthcare services rendered to an individual
- Past, present, or future payment for healthcare services rendered to an individual.
To slow down a moment, PHI is personally identifiable information that appears in medical records but could be applied to examples like, conversations between healthcare staff such as Doctors and Nurses regarding patient treatment. The rule of thumb is that if any of the information can be recognized by the patient or if it was utilized or discovered during the course of providing a healthcare service, it is considered PHI.
HIPAA has laid out 18 identifiers for PHI that identify information as PHI. If the record has these identifiers removed, it is no longer considered to be Protected Health Information. PHI also includes billing information and any information that could be used to identify an individual in a health insurance company's records. When PHI is found in an electronic format, like a computer or a digital file, it is called electronically Protected Health Information (ePHI).
Who needs to be HIPAA Compliant?
Under the law, there are two types of entities responsible for protected health information: Covered Entities and Business Associates.
A covered entity is defined by HIPAA as anyone who created, collects, or transmits PHI during as part of the treatment, payment and operations when providing healthcare. Most Covered Entities are those healthcare organizations that have direct contact with patients, such as doctors, clinics, and hospitals or use their information, such as insurance companies or health plans.
A business associate is an organization, or individual, that performs work or activities on behalf of a covered entity that may involve the use or disclosure of protected health information. The size and complexities of modern healthcare mean that phi can be found in more places than just a hospital or a doctor’s office. Because of the size and complexity of modern healthcare, there are countless examples of Business Associates. These can be billing companies, law firms, EHR platforms, physical record or cloud storage providers, email hosting services, practice management firms, and many more.
Even though business associates don’t see patients, they may maintain or have access to their healthcare data. Even subcontractors of business associates who have access to PHI must also be in compliance with the HIPAA provisions.
What are the HIPAA Compliance Requirements?
At Accountable, we have broken the basics of HIPAA compliance into several manageable steps. These HIPAA compliance steps are:
- Selecting a Privacy Officer
- Knowing the core rules and their required mandates
- Complete Annual Security Risk Analysis and Management
- Adopt Privacy Policies and Security Procedures
- Breach Preparation
- Ongoing training
- Enacting proper business associate agreements and risk analyses
Select a Privacy Officer
The first step forward on your path toward compliance is electing an internal Privacy Officer to spearhead compliance for your organization. While you are able to get help from other external organizations, it is a requirement of HIPAA to have someone internal with the formal designation of Privacy Officer. Unlike other compliance frameworks (For ex. GDPR), there is no specification as to the credentials of this individual. We've worked with CEOs, CTOs, IT professionals, executive assistants - if they’re on your payroll, they can be the Privacy Officer. However, the most effective privacy officer is someone who has the authority and clout in the organization to implement the correct organizational changes to safeguard health data.
The duties and expectations of a HIPAA Privacy Officer ranges depending on the size of the organization and the amount of PHI that it uses, creates or touches in any manner. In larger organizations, there may even need to be multiple people that are dedicated to maintaining that company’s compliance. The Privacy Officer needs to have a great understanding of the regulation and its application within their business type; covered entity or business associate.
What are the Core HIPAA Rules?
The core regulation has been expanded numerous times in the past near-thirty years. However, the most important rules and expansions to be aware of are:
The HIPAA Privacy Rule sets standards for how PHI can be shared, including what is shared, when it is shared, and under what circumstances it can be used or disclosed. The primary goal of the Privacy Rule is to guarantee that an individual’s PHI is held in a system that allows it to flow between parties safely. They can be medical practices, or, insurance companies- whomever needs access to PHI in order to achieve the best healthcare outcomes for the patient while simultaneously protecting the data. Additionally, the Privacy Rule states that patients should have the right to access their healthcare records, and they should have a measure of authority over where their information goes and who can access it.
The Security Rule deals with electronic Protected Health Information (ePHI), The Security Rule requires the implementation of three types of safeguards: Administrative, Physical, and Technical safeguards. The goals of these security measures is to ensure that ePHI is properly secured against all forms of unauthorized access, regardless of whether the data is at rest or in transit and should be specified in the organization's privacy and security policies.
The Breach Notification Rule updated and modified several aspects of HIPAA by applying standards that both covered entities and business associates must adhere to in the event of a breach of PHI. In addition to covered entities and business associates notifying the Department of Health and Human Services following a breach, the rule also included additional reporting protocols depending upon the size and scale of the breach.
The HIPAA Omnibus Rule updated all the previously passed rules with the intention to create one single, exhaustive document that listed the requirements for complying with the act. Most importantly, the rule declared that business associates are now responsible for their own compliance with HIPAA and outlined the rules for Business Associate Agreements (BAAs). The Omnibus Rule also mandated that any unauthorized use or sharing of PHI should be presumed to be a breach. This last change has led to a significantly higher number of reported data breaches each year.
Annual Risk Assessment
Another major requirement of the regulation is to ensure you are conducting regular Risk Assessments. 'Regular' here refers to either annually, or upon material change to your organization, whichever comes first. For a covered entity a material change could be the opening of a new location or for when they adopt and integrate a new software into their operations. These risk assessments serve as a reevaluation of internal practices, to ensure both what you are saying you are doing is actually practiced. Risk assessments justify the policies and procedures put into place to reduce said risk.
It is important to store these risk assessments internally, year after year, as they serve as a paper trail to show continued HIPAA compliance in the event of an audit. While a breach can always occur, these risk assessments serve as a way of showing that your organization has taken HIPAA compliance seriously and can help to mitigate further fines in the event of a breach or audit.
Adopt Compliant Policies and Procedures
Another step in the compliance process is implementing organizational policies and procedures. The Security Rule requires covered entities and their business associates implement several measures of security standards categorized as Administrative safeguards, Technical Safeguards, and Physical Safeguards that will work together to maintain the confidentiality, integrity, and availability of ePHI.
Administrative Standards are concerned with processes, policies, and procedures that will work to protect against a breach or unwanted disclosure of private information. For example, limiting access to PHI only when it is necessary for an employee to do his or her job and no more. Physical safeguards protect the physical security of your offices and devices where ePHI may be maintained or accessed, such as utilizing access controls methods like locks. Technical safeguards pertain to the technology that protects personal health data, such as firewalls, encryption, or data backups.
Breach Preparation Protocol
An important facet found in HIPAA compliance is the need to establish an internal breach notification protocol in the event that your organization does have a breach. This internal reporting system should be an efficient way of notifying internal key employees of the breach occurring so that an adequate response can take place and further data exposure is prevented. Ultimately, no organization ever wants to have a breach occur but it is always important to have a plan in place in the event of one occurring. Additionally, you should take steps to prepare for what to do in the event of a breach, with the mindset of “an ounce of prevention is worth a pound of cure”.
Annual Employee HIPAA Training
We are intentionally talking about HIPAA training now, as it is often seen as the only requirement for a company to be compliant with the act, when in reality it is but one of many steps in obtaining HIPAA compliance. That being said, an annual HIPAA training is an important part of HIPAA compliance, and often one of the most important on the employee level. Keeping a record of these trainings is important as well. This is with the intent of supplying it in the event you are audited. This will display your consistent and dedicated approach to keeping your staff apprised of organizational and federal regulatory requirements.
Business Associate Agreements
When covered entities and business associates work together, they are required to sign a business associate agreement that states both organizations are HIPAA compliant. Business associate agreements consist of information regarding the permissible and impermissible uses of PHI between two HIPAA-beholden organizations. The contracts are often formatted to detail the relationships between a covered entity and a business associate, as well as relationships between two business associates.
Business associate agreements should be compared to the rules and regulations of HIPAA to ensure that they cover every aspect of the working relationship. In our case, the business associate agreements that Accountable shares in our HIPAA compliance platform are fully vetted. These templates are provided to you when using Accountable.
Know the Cost of HIPAA Violations
A violation is defined as a failure of an organizations' compliance program that compromises the integrity of protected health information. A breach, is defined by the HHS here, "[A breach] is any unauthorized use or sharing of protected health information (PHI) that jeopardizes the security and privacy of that person’s information." A HIPAA breach can be due to unauthorized access by an employee, a third party, a ransomware attack or improper disclosures. There are countless ways that compliance rules are violated, though the most common types of breaches in include:
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Impermissible disclosure of PHI
- Failure to perform an organizational wide risk assessment
- Failure to manage security risks
- Failure to enter into a Business Associate Agreement
The cost of HIPAA Violations can be staggering to an organization. Penalties for HIPAA violations are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation.
Fines are levied in a tiered system, based upon the perceived level of negligence which led to the breach.
The HHS breaks violation penalties into four tiers:
First Tier: The entity did not know and could not have reasonably known of the breach. Generally, these range to $100 to $50,000 per incident and up to $25,000 per year.
Second Tier: The entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident and up to $100,000 per year.
Third Tier: The entity “Acted with willful neglect” but corrected the problems within a 30 day period of the breach. Penalties for the third tier can range from $10,000 - $50,000 per incident and up to $250,000 per year.
Fourth Tier: The entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident with total penalties up to $1.5 million per year.
How to become HIPAA Compliant
How can you know you are truly HIPAA compliant? Well, you have a couple different options here, so let’s dive right in. Your first, (and most risky) option is to try and take on HIPAA compliance yourself, utilizing a shoot-from-the-hip approach. You can sit down with the hundreds of pages of legislation that HIPAA entails and begin to tackle the seemingly insurmountable task of understanding and executing the steps necessary to become HIPAA compliant. If that just raised your blood pressure, don’t worry, we’ve got two more options for you.
Your next option would be to hire a healthcare lawyer, who will charge you anywhere from $100-$300 per hour, to accomplish the aforementioned Goliath task. This could take them two weeks, or it could take them two months (The math there is $8,000 on the lowest end, $96,000 on the highest end). Again, this may seem like quite a rock and a hard place, and we agree! That’s why we came up with a complete administrative solution to this and have solved this problem for thousands of businesses just like yours.
Here at Accountable, we offer a complete administrative solution to HIPAA compliance so that you can achieve and maintain compliance program efficiently and effectively for a fraction of what it would cost to hire a legal professional, while still providing the peace of mind that comes with working with a third party expert. Now that is great and all, but you’re here because you want to know how you can get compliant.
Don’t wait. Get started on your journey to compliance, today by booking a demo!