Any organization dealing with protected health information in digital or analog form must comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA fines cost the top 10 companies $28 million in 2018 and this was only for the cases that were resolved, out of 431 data breach investigations.
Strict adherence to the HIPAA compliance standard helps prevent data loss and avoids the legal and financial consequences involved. Organizations need security tools and solutions to help prevent data loss and data breaches to protect and secure HIPAA-protected data.
An organization bound by HIPAA may find compliance a rather daunting task. In this article, we aim to cover the basic aspects of HIPAA compliance standards and give some guiding principles to effectively achieve compliance.
In this page:
- What is HIPAA compliance?
- What is a HIPAA violation?
- HIPAA rules
- 7 elements of an effective HIPAA compliance program
What Is HIPAA Compliance?
The Health Insurance Portability and Accountability Act establishes national standards across the U.S for the protection of sensitive patient data. HIPAA sets the rules to protect the privacy and security of individually identifiable health information.
Any company handling protected health information (PHI) must obey HIPAA compliance standards. These standards differentiate between two types of entities dealing with PHI, covered entities and business associates:
- Covered entities—any entity providing treatment, payment and healthcare operations.
- Business associates—anyone with access to patient information, handling PHI as a third-party, providing support in treatment, payment or operations. This includes subcontractors such as billing companies, third-party consultants, IT providers, attorneys, and accountants.
The digitization of the healthcare industry has produced new challenges when dealing with sensitive patient information. Most operations in the healthcare system today are computerized, including computerized physician order entry (CPOE) systems, electronic health records (EHR), pharmacy and laboratory systems. Therefore, a system to protect PHI is imperative to ensure that this personal information is handled securely in light of the security risks facing the healthcare data.
What Is a HIPAA Violation?
Any breach in an organization’s compliance program that compromises the integrity of the PHI is considered a HIPAA violation.
Common HIPAA violations
While not all data breaches are HIPAA violations, all HIPAA violations involve a security breach. A HIPAA violation results from an ineffective, incomplete or outdated HIPAA compliance program, or a direct violation of the organization’s HIPAA compliance policies.
For example, if an employee has stolen or lost an unencrypted company laptop with access to medical records, it is considered a data breach. If the owner of the laptop (the company) doesn’t have the policy to prevent company laptops from being taken off site or requiring their encryption, it is a HIPAA violation.
Common HIPAA mistakes
Organizations facing a data breach need to follow a protocol called the HIPAA Breach Notification Rule. This protocol differs according to the scope of the data breach. The HIPAA Breach Notification Rule mentions two types of breaches:
- Minor breach—a data breach is considered minor when the impact involves up to 500 people per jurisdiction. An organization affected by minor breaches needs to report them once a year, 60 days before the end of the calendar year. In addition, the company needs to inform affected individuals before 60 days have passed since the discovery of the data breach.
- Meaningful breach—HSS considers a data breach to be meaningful when it impacts more than 500 individuals in a single area. Such breaches need to be reported sooner, with a limit of 60 days after the discovery of the data breach. The affected organization must inform individuals as soon as the data breach is discovered. The HSS publishes meaningful breaches since 2009 on the Breach Notification Portal.
There are four main rules in the HIPAA standard: the privacy rule and security rules being the overarching ones.
- HIPAA privacy rule—also known as the Standards for Privacy of Individually Identifiable Health Information, it determines the standards for the protection of certain health information such as medical records, applying to health plans, health care clearinghouses and healthcare providers. It establishes patient rights over their health information, including requesting corrections and obtaining a copy of their health records. This rule only applies to covered entities. Other standards outlined by this rule include the contents of use and disclosure forms and notices of privacy practices. The organization must document these regulatory standards in their policies and procedures, and train all staff in these policies and procedures annually, with documented attendance.
- HIPAA security rule—sets the security standards for maintenance, transmission, and handling of the PHI. This applies to covered entities and business associates. This rule determines the standard for integrity and safety of information, including the physical, administrative and technical measures needed to maintain compliance. As in the privacy rule, the organization must document these regulations in its own HIPAA policies and procedures, training staff annually.
- HIPAA breach notification rule—this rule sets the standards that covered entities and business associates must follow in the event of a security breach involving protected health information. Organizations must report all breaches, with different deadlines according to the severity of the data breach or HIPAA violation.
- HIPAA omnibus rule—an addendum to the HIPAA regulation that applies the standard to business associates. According to this rule, business associates must be HIPAA-compliant. It outlines the rules regarding Business Associate Agreements (BAAs), which are contracts executed between a covered entity and business associate, or between two business associates, before any PHI or ePHI can be transferred.
Seven Elements of an Effective HIPAA Compliance Program
The Department of Health and Human Services (HHS), responsible for the launch of HIPAA, established the Seven Elements of an Effective Compliance Program. This program, included in their compliance training guide, outlines seven guiding principles to help direct compliance efforts:
1. Having written policies, procedures and standards of conduct
2. Assigning a compliance officer and compliance committee
3. Conducting effective training and education with all employees with mandatory attendance
4. Developing effective lines of communication
5. Performing internal monitoring and auditing
6. Enforcing standards through protocols and publicized disciplinary guidelines
7. Undertaking prompt corrective action to detected offenses
These principles should underlie every protocol, policy, and procedure the organization develops to comply with HIPAA regulations. In addition, auditors will use these guidelines when conducting an investigation.
HIPAA compliance protects users’ data, ensuring their privacy and security. To achieve these goals, organizations should foster a security culture. Conducting training workshops and implementing security awareness practices helps the staff integrate best practices.
Organizations should protect their network environment with security tools, like SIEM solutions. Software such as firewalls and endpoint security can help secure the perimeter from attackers. In addition, monitoring and controlling access to the data are essential to prevent insider threats. With data breaches on the rise, complying with HIPAA is not just a matter of regulatory requirements, but of protecting the organization and the users.