Overwhelmed with HIPAA compliance? You’re not alone. Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is important to the covered entities and business associates that are expected by the federal government to follow the law.
However, the requirements of HIPAA and its regulatory agency, the US Department of Health and Human Services (HHS), are not as rigid as they first may seem. We’ve detailed the broad concepts required to understand HIPAA in this article, which serves as a beginner’s HIPAA Compliance Guide.
The healthcare privacy and security law was written to encompass the broad array of organizations for which it was intended. For that reason, the HHS website notes that “there is no single standardized program that could appropriately train employees of all entities.”[i]
Nonetheless, training is a requirement of HIPAA, so it’s necessary to find a strong beginner’s guide that can be used to train your employees on the essentials of compliance. Most of what is available online through the federal government is either aggregations of disparate pieces of information or sizable PDFs, such as the Guide to Privacy and Security of Electronic Health Information[ii] – created by the Office of the National Coordinator for Health Information Technology (ONC). The former is a bit disorganized. While the latter can be great as course material, its 60+ pages are overkill for the purpose of an initial overview.
With the above concerns in mind, this Beginner’s HIPAA Compliance Guide summarizes elements of the federal government’s guide[iii] within a brief article for relatively quick reading, linking out to PDFs of the applicable chapters for additional information. For more information and a quick checklist, also take a look at our article Healthcare Hosting: What is HIPAA Hosting and Why Do I Need It?
HIPAA Compliance Guide
Definitions, purpose, and primary rules of HIPAA
Probably the three most important HIPAA terms are (CE), business associate (BA), and protected health information (PHI).
Protected Health Information
Protected health information (PHI) is the data that the law is meant to safeguard.
A covered entity is any healthcare provider, health plan, or health data clearinghouse.
Any 3rd party organization that handles individually identifiable health data on behalf of a covered entity.
The HIPAA guidelines establish various responsibilities for CEs and BAs related to the health data of patients. These responsibilities are aligned with rights that the law grants to patients for the protection of their healthcare records.
Of fundamental concern to covered entities and business associates are the Privacy Rule, Security Rule, and Breach Notification Rule. The Privacy Rule creates standards for the privacy of PHI. The Security Rule establishes expectations for the handling of electronic protected health information (ePHI) to prevent unauthorized access. The Breach Notification Rule mandates that covered entities and business associates must alert any affected parties whenever their protected health information is compromised.
For more information on these basic components of HIPAA, see chapter 2 of the guide.
Privacy rights related to health data
The Privacy Rule of HIPAA gives patients the right to receive a notice of privacy practices (NPP)[iv], a document that lets them know about steps taken by their healthcare providers and plans to protect privacy. The NPP also contains information about the rights outlined in the law. “The notice is intended to focus individuals on privacy issues and concerns,” notes the HHS website, “and to prompt them to have discussions with their health plans and health care providers and exercise their rights.”
Also according to the Privacy Rule, healthcare providers and plans have to be responsive when their patients ask for the following:
- access to their health records
- changes to be made to their PHI (in the case of errors)
- records of disclosure
- doctor-patient communications
- limitations to apply to data use and disclosure.
For more information on patient privacy rights, please see the guide’s 3rd chapter.
Implementation of a security management process
Since the Security Rule is centrally concerned with ePHI, it is the centerpiece of focus for those needing to protect patient records processed and stored within a technological environment. Although this part of HIPAA does not specify technologies that must be used, it does mandate the use of best practices to safeguard data in various ways. Best practices suggest that your system should include firewalls, two-factor authentication, offsite backup, SSL certificates, and an SSL VPN, within a private hosted environment.
Maintaining compliance isn’t just about deploying technologies, though. It’s also about setting up a process so that you can manage your various security mechanisms. Here are steps recommended for covered entities and business associates by the ONC:
- Define leadership and establish a culture of compliance. Select a security officer, address the Security Rule with your health records developer, and look into professional help for security risk analysis. Assess your vulnerability with proven tools, review HIPAA parameters, and foster a culture of privacy and security.
- Document your process. Note and keep records of your security risk analysis and steps you took to remedy any problems you identify.
- Conduct a security risk analysis. Determine all locations of your ePHI, along with how it is produced, sent, received, and maintained. Identify systemic weaknesses and potential threats. Note low, medium, and high risks to the data.
- Create a strategic plan. Using the findings of your analysis, develop a plan to address all risks you have uncovered. It should include policies and procedures, organizational standards, administrative safeguards, physical safeguards, and technical safeguards.
- Launch your plan and manage risks. Put your strategic plan into action. Train your employees on how to prevent unauthorized access through informational resources (and, optionally, ONC games). Talk with patients about data security and confidentiality. Keep your business associate agreements up-to-date.
- Manage ongoing risks, conduct audits, and update your security systems. You should be able to perform audits and have sufficient audit controls in place.
To learn more about the current federal perspective on security management in a healthcare setting, see chapter 6 of the guide.
Protocols and expectations for breaches and HIPAA violations
Based on the Breach Notification Rule, healthcare providers and plans must report any possible exposure of protected health information whenever data is stolen, lost, or otherwise compromised. If the exposure includes more than 500 people, the HIPAA CE must also quickly contact the HHS Secretary. Local media must be notified in a state or jurisdiction in which 500 or more affected individuals reside. If fewer than 500 people are impacted, the individuals must be alerted, and the HHS Secretary must be sent a report within 60 days following the end of the calendar year.
Covered entities and business associates sometimes fail to comply with HIPAA. These violations are discovered through random audits, investigations, breach notifications, other governmental agencies, and the press.
There are four levels of violations described by the HIPAA Enforcement Rule (with minimum fine per incident in parentheses):
HIPAA Enforcement Rule Violation Levels (minimum fine per incident shown)
|The entity was unaware and would have remained unaware based on reasonable measures
||$100 to $50,000
|“Reasonable cause” – in which the violation was caused by an element that would prompt action in an ordinary person
||$1000 to $50,000
|“Willful neglect” – in which the violation was caused by intentional avoidance but rectified within 30 days
||$10,000 to $50,000
|Willful neglect but not mitigated within 30 days
For more on breach notification and enforcement, please see the 7th chapter of the guide.