In the United States, compliance with the Privacy and Security Act (HIPAA) requires that companies dealing with protected health information (PHI) maintain physical, network, and process security.
HIPAA compliance rules apply to anyone who provides healthcare treatment, payment, or operations.
HIPAA compliance is also essential for business associates with access to patient information or who provide treatment, payment, or operations support. Similarly, HIPAA applies to subcontractors and related businesses as well.
What is HIPAA Compliance?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, used to set federal regulations covering patient health care information use and disclosure. It also guides how to protect electronic health information.
HIPAA compliance is essential in the healthcare industry to prevent providers from getting into any patient records issues. If these rules are not adhered to, some lawsuits may ensue.
The Office for Civil Rights (OCR) enforces HIPAA compliance on behalf of the Department of Health and Human Services (HHS).
Protected Health Information (PHI)
Protected health information (PHI) is the data associated with a person's health. HIPAA attempts to preserve and maintain the privacy of protected health information. To declassify PHI, you must remove certain types of data defined by the Safe Harbor Rule.
Who Needs HIPAA Compliance?
According to HIPAA regulations, two types of organizations need to comply with this rule. They include:
Covered entities
A covered entity is a person or entity that uses and has access to PHI in a healthcare setting. This includes physicians, nurses, and healthcare insurers.
Business associates
A business associate works for a covered entity in a non-healthcare capacity, and they are liable for maintaining HIPAA compliance. In the healthcare industry, business associates include lawyers, accountants, administrators, and IT staff who access PHI.
What are HIPAA Rules?
Several HIPAA Rules are detailed in the HIPAA Regulations. HIPAA's regulations have all taken effect during the past two decades since its enactment in 1996.
HIPAA Rules include the following:
HIPAA Privacy Rule
HIPAA sets national standards for the privacy of PHI, and business associates have no protected entities under the HIPAA Privacy Rule.
Among the standards outlined by the HIPAA Privacy Rule are patients' rights to access protected health information, health care providers' rights to deny access to protected health information, the content of HIPAA release forms for uses and disclosures, and notices about privacy practices.
Organizations must define their regulatory standards in their HIPAA policies and practices. All employees must learn and attest to these policies and procedures annually.
HIPAA Notification of a Breach Rule
The HIPAA Breach Notification Rule is a set of guidelines that cover entities and business associates must follow in a data breach containing PHI or ePHI.
Based on the scope and size of the breach, the Rule lays out different requirements for breach reporting.
To comply with the HIPAA Breach Notification Rule, covered entities and business associates must notify HHS after a breach involving PHI or ePHI. However, reporting protocols vary based on the type of breach.
HIPAA Security Rule
The HIPAA Security Rule establishes federal standards for maintaining, transmitting, and handling electronically protected health information (ePHI). Due to the potential sharing of ePHI, both covered entities and business associates are covered under the HIPAA Security Rule.
Health care organizations must implement physical, administrative, and technical safeguards for the integrity and safety of ePHI under the Security Rule.
In the HIPAA Policies and Procedures, the organization must document the specifics of the regulations, and staff must receive annual training on these Policies and Procedures with documentation.
HIPAA Omnibus Rule
Business associates are also covered by the HIPAA Omnibus Rule, which was enacted to make HIPAA applicable to them and covered entities.
Among the requirements of HIPAA Omnibus Rule are that business associates must follow HIPAA regulations, and Business Associate Agreements (BAAs) must follow HIPAA regulations.
Before any PHI or ePHI can be transferred or shared, a covered entity and business associate must execute a Business Associate Agreement.
HIPAA Compliance Requirements
Computerized operations are becoming more prevalent among health care providers and other entities dealing with PHI. CPOE systems are automated systems for entering doctor orders, EHRs are electronic medical records, and radiology, pharmacy, and lab systems are all available.
In the same way, health insurance plans provide claims access, care management, and self-service applications.
These electronic methods provide greater efficiency and mobility, but they also dramatically increase the security risks to healthcare records7. Therefore, HIPAA compliance is of greater importance than ever before.
According to HHS, entities hosting sensitive patient data must adhere to both physical and technical safety measures:
According to HHS, entities hosting sensitive patient data must conform to both physical and technical safety measures:
- Access and control of the facility are limited, with authorized access in place
- Access and use policies for workstations and electronic media
- Electronic media and ePHI transfer, removal, disposal, and re-use restrictions
According to HIPAA, ePHI must be accessible only to authorized individuals through access control. Access control may include:
- The use of unique user IDs
- Logging off automatically
- Audit reports and tracking logs with information about hardware and software activity.
- Procedures for emergency access
- Decryption and encryption
In addition to technical compliance policies, there needs to be a system of integrity controls to ensure that health information about patients (ePHI) isn't altered or destroyed. To ensure accurate recovery of patient health information, off-site backups and disaster recovery systems are essential.
Elements of a HIPAA Compliance Program
These are the Seven Elements of a Successful HIPAA Compliance Program:
- Creating written standards, policies, and procedures.
- Establishing a compliance officer and compliance committee.
- Providing quality training and education.
- Establishing effective communication channels.
- Auditing and monitoring internal processes.
- Setting clear disciplinary guidelines and enforcing them.
- Adopting corrective action as soon as an offense is detected.
HIPAA auditors from OCR will evaluate your organization's compliance program in light of the Seven Elements as part of a HIPAA investigation in response to violating HIPAA.
HIPAA Violation
HIPAA violations are defined as failures to follow any standards and provisions detailed in 45 CFR Parts 160, 162, and 164.
A combined text of all HIPAA regulations published by the Department of Health and Human Services' Office for Civil Rights contains numerous provisions. HIPAA can be violated in several ways, but the most common are:
- Breach of databases
- An inadequate training program for employees
- Improper disposal of PHI
- Sharing PHI
- Loss or theft of a non-encrypted device
Non-compliance with HIPAA can carry penalties ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per violation per calendar year. Furthermore, individuals who violate the law may face jail time.
