A Complete Introduction
What is HIPAA?
Congress established the Health Insurance Portability and Accountability Act (HIPAA), a United States federal statute that President Clinton signed into law in 1996. The law protects health insurance coverage for people who change or lose jobs, and prevents the disclosure of protected health information (PHI) that is sensitive without the patient’s knowledge or consent. HIPAA achieves these goals by mandating the creation of national standards.
HIPAA incorporates and/or amends the requirements of several other legislative acts, including the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Practically, among other consequences, HIPAA requires the protection and confidential handling of PHI. The US Department of Health and Human Services (HHS) has issued various regulations to interpret and implement HIPAA’s requirements, including the HIPAA Privacy Rule and the HIPAA Security Rule, as described below.
What is the Purpose of HIPAA?
The purpose of HIPAA is to improve health insurance portability; to enhance healthcare industry efficiency; to protect patient and health plan member privacy; to keep healthcare information secure; and to notify patients of breaches of their health data.
First introduced in 1996, the earliest form of HIPAA legislation helped guarantee that workers would maintain health insurance coverage in between jobs. Even the early legislation required healthcare organizations to prevent healthcare fraud by securing patient data, although specific rules along those lines were not immediately developed.
HIPAA also introduced various standards intended to reduce the paperwork burden and enhance efficiency within the healthcare industry. Specifically, this meant requiring the use of code sets and patient identifiers which enable more efficient transfer of healthcare data between insurers and healthcare organizations, and streamlining healthcare operations such as billing, eligibility checks, and payments.
In addition, HIPAA enforces group health insurance requirements, prohibits the tax-deduction of interest on life insurance loans, and standardizes the amounts that users can save in pre-tax medical savings accounts.
Today, with the requirements added by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003, HIPAA is best known for protecting patient privacy and ensuring patient data is appropriately secured. The Breach Notification Rule in 2009 added the requirement for notifying individuals of a breach of their health information.
The HIPAA Privacy Rule restricts the allowable uses and disclosures of protected health information (PHI), stipulating with whom, when, and under what circumstances PHI can be shared. The HIPAA Privacy Rule also gives patients on request access to their health data.
The purpose of the HIPAA Security Rule is to appropriately secure electronic health data, control access to it, and maintain an auditable trail of PHI activity.
For HIPAA purposes, protected health information (PHI) is any demographic information that can identify a client or patient of an entity subject to HIPAA’s requirements. Common examples of PHI include names, Social Security numbers, phone numbers, addresses, financial information, medical records, and full facial photos.
Electronically stored, transmitted, or accessed PHI is called electronic protected health information, or ePHI, and is also covered by HIPAA regulatory standards. The HIPAA Security Rule, which was created to cope with changes in medical technology, regulates ePHI and all electronic media.
What is HIPAA Compliance?
HIPAA compliance is simply legal adherence to the requirements of the Health Insurance Portability and Accountability Act (HIPAA). The US Department of Health and Human Services (HHS) oversees and regulates HIPAA compliance. A precise HIPAA compliance definition will be different for each covered entity, because HIPAA is flexible by design.
Who Must Comply with HIPAA?
In many places, HIPAA requirements are left vague by design. This is because HIPAA requirements are equally applicable to any covered entity or business associate that accesses, creates, processes, or stores PHI, so flexibility is essential to the correct functioning of the law.
What is a Covered Entity?
A covered entity is a health plan, a health care provider, or a healthcare clearinghouse who, in the course of its normal activities, creates, transmits, or maintains PHI. Exceptions include:
- Most health care providers employed by a hospital (in these cases the hospital is the covered entity who must implement and enforce HIPAA policies)
- Employers who maintain health care information about their employees (unless they are “hybrid entities” that provide benefits such as an Employee Assistance Program [EAP] or self-insured health coverage.
HIPAA includes these organizations and individuals in its definition of covered entities:
- Health care providers including doctors, dentists, psychologists, chiropractors, clinics, nursing homes, pharmacies, and health plans
- Health insurance companies including company health plans, HMOs, and government provided health care plans
- Health care clearinghouses that process healthcare data from another entities
What is a Business Associate?
A business associate is a business or person that performs a certain activity or function for, or provides a service to, a covered entity that specifically involves access to PHI the covered entity maintains. Examples of business associates include accountants, billing companies, email encryption services, IT contractors, lawyers, HIPAA compliant cloud storage services, and even HIPAA compliance services.
To access the PHI the business associate must enter into an agreement with the covered entity to ensure they share the same HIPAA compliance requirements. Specifically, the business associate agreement (BAA) will clarify what PHI they can access, how they can use it, and whether they will return or destroy it once they have finished their stated task.
What are HIPAA Compliance Requirements?
HIPAA compliance requirements can be intentionally vague. However, to achieve and maintain HIPAA compliance, each covered entity and business associate with access to PHI must ensure that certain technical, physical, and administrative safeguards are implemented and complied with. A more detailed discussion of the HIPAA guidelines and best practices for HIPAA compliance follows below.
The HIPAA Security Rule
The HIPAA Security Rule sets forth HIPAA security standards to protect electronically accessed, created, processed, or stored PHI (ePHI), both in transit and at rest. The rule applies to any system or individual that can read, modify, write, or communicate ePHI, or any identity revealing personal identifiers.
The three elements of the HIPAA Security Rule are technical safeguards, physical safeguards, and administrative safeguards. Some of each type of safeguard are “required,” while others are “addressable.” HIPAA safeguards that are “required” must be implemented, while covered entities have some flexibility in how they deal with “addressable” safeguards. Entities may introduce an appropriate alternative or not implement the “addressable” safeguard if it is not reasonable to do so.
Entities can make those decisions based on their risk mitigation strategy, risk analysis, and additional existing security measures. Any decision must include the results of the risk assessment, the factors that were considered, and the factors upon which the decision was based; it must also be documented in writing.
Technical safeguards concern the technology that covered entities use to protect and offer secure access to ePHI. Whether at rest or in transit, outside the internal firewalled servers of the organization, ePHI must be encrypted to NIST standards. This renders any breach of confidential patient data undecipherable, unreadable, and unusable. Activity logs and access controls as well as audit controls are also required.
Beyond those technical safeguards and HIPAA compliance technology requirements, organizations may select the most appropriate mechanisms, such as specific mechanisms to authenticate ePHI, the choice of which tools for HIPAA encryption and decryption are used, and the facilitation of automatic log-off of PCs and devices.
Physical safeguards focus on secure physical access to ePHI without regard to its location. This is important because ePHI may be stored in the cloud, in a data center at a remote location, or on servers in the premises of the HIPAA covered entity. They also detail how to secure mobile devices and workstations against unauthorized access. Past that, organizations can address how to implement facility access controls and how to inventory and maintain hardware.
Administrative safeguards are procedures and policies that unite the privacy rule and the security rule. They govern workforce conduct, and comprise the core elements of a HIPAA compliance checklist. A Privacy Officer and a Security Officer must be assigned to implement these administrative safeguards to protect ePHI.
The required administrative safeguards include: risk assessments, a risk management policy, a contingency plan, and restricted third party access. The addressable or more flexible administrative safeguards include employee training, the testing of the contingency plan, and reporting of security incidents.
The HIPAA Privacy Rule
In force since 2003, the HIPAA Privacy Rule controls the use and disclosure of ePHI. The privacy rule applies to all healthcare providers and organizations; health plan providers including workplaces and other employers that offer insurance; and healthcare clearinghouses. As of 2013, the rule also applies to the business associates of covered entities.
The privacy rule requires that covered entities and business associates of covered entities implement appropriate safeguards to protect the privacy of PHI. It also sets conditions on and limits to the use and disclosure of PHI without patient authorization. Furthermore, the privacy rule gives patients or their representatives rights over their own health data. This includes the right to examine or obtain a copy of their health records and request corrections if necessary.
The privacy rule requires covered entities to respond to patient access requests within 30 days. The rule also requires that covered entities issue Notices of Privacy Practices (NPPs) to advise plan members and patients of the circumstances under which their providers will share or use their data.
Under this rule, covered entities should also:
- Train employees to ensure they understand rules for sharing information outside the organization´s security mechanism
- Take appropriate steps to maintain the integrity of patients’ individual personal identifiers and other PHI
- Obtain written permission from patients before using their health information for purposes such as fundraising, marketing, or research
Covered entities must update their patient authorization forms to reflect the rule. The form should include an option for restricting disclosure of PHI to a health plan for when they have covered their costs privately, the disclosure of immunization records to schools, and the on request option to provide an electronic copy of healthcare records for patients.
The 2009 HITECH Act expanded HIPAA compliance, penalties, and fines for violations of the law. Most critical changes include:
- The Breach Notification Rule requires HHS be notified of breaches of the information of 500 or more individuals within 60 days
- Enables clients to receive PHI in electronic format
- Establishes four fine categories for businesses
- Sets individual penalties for HIPAA violations
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires that covered entities notify patients of any breaches of their PHI. If the breach affects more than five hundred patients, the breach notification rule also requires entities to notify HHS promptly and issue a notice to the media.
The rule also requires that smaller breaches—breaches that impact fewer than 500 individuals—be reported to HHS. However, these may be reported using the OCR web portal, and this is only required annually. In addition, smaller breach reports need not be made promptly, and ideally should be made after the initial investigation has been conducted.
Covered entities should make breach notifications without unreasonable delay, and in no case later than 60 days following the discovery of a breach. Breach notifications should include:
- The nature of the PHI, including the kinds of personal identifiers that were exposed
- The unauthorized individual or entity to whom the disclosure was made or who used or accessed the PHI, if known
- Whether the PHI was actually viewed or acquired, if known
- A description of much the risk of damage has been mitigated
When notifying a patient of a breach, the covered entity must:
- Inform the patient how they can protect themselves from potential harm
- Describe what the covered entity is doing to investigate the breach
- Describe mitigation and prevention actions taken against further security incidents and breaches so far
HIPAA Omnibus Rule
The HIPAA Omnibus Rule clarified policies and procedures, amended definitions, and enlarged the HIPAA compliance audit checklist. After the omnibus rule changes, HIPAA expanded to address several areas that previous updates had omitted, covering business associates and their subcontractors.
Business associates are any organization or individual that receives, creates, maintains, or transmits PHI as it performs functions on behalf of a covered entity. Business associate also includes consultants, contractors, health information organizations, data storage companies, and any subcontractors engaged by business associates.
The Omnibus Rule made five important changes to HIPAA regulations:
- Introduces the final amendments of the HITECH Act
- Incorporates HITECH’s increased, tiered civil money penalty structure
- Introduces the Breach Notification Rule from HITECH and changes to the harm threshold
- Prohibits the disclosure of genetic information for underwriting purposes by including the provisions of the Genetic Information Nondiscrimination Act (GINA)
- Prevents the use of personal identifiers and PHI for marketing purposes
Under the HIPAA Omnibus Rule, to achieve HIPAA audit compliance covered entities must:
Update business associate agreements. To account for the omnibus rule, covered entities must make business associates aware that they are bound by the same privacy rule and security rule regulations. They must therefore protect ePHI and personal identifiers by implementing the appropriate technical, physical, and administrative safeguards; provide assistance with breach notification procedures and report data breaches without delay to the covered entity; and comply with patient requests for access to their health information.
Along these lines, covered entities must also issue new HIPAA compliant business associate agreements before continuing to use business associate services. They must also update privacy policies to include the changes from the omnibus rule. These include responses to access requests, patient access rights, and amendments relating to deceased persons. Policies should also conform to the new limitations on the sale of PHI; the use of PHI in fundraising, marketing, and research; the disclosure of PHI and school immunizations, and disclosures to Medicare and insurers.
Update Notices of Privacy Practices (NPPs). Covered entities must update Notices of Privacy Practices (NPPs) to cover the right to opt out of fundraising correspondence, the types of information that require an authorization, and new breach notification requirements. Finally, covered entities must train staff on the omnibus rule definition changes and amendments and document all training.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule controls what happens after a PHI breach, including investigations, procedures for hearings, and possible HIPAA penalties for avoidable breaches of PHI. See discussion of fines and penalties below.
Organizations most frequently subject to enforcement action are hospitals; private medical practices such as individual doctors and dentists, and group practices; outpatient facilities such as rehabilitation centers and pain clinics; pharmacies; and insurance groups. The most common disclosures to the HHS are:
- Unauthorized disclosures and misuse of patient records
- Inadequate or missing patient record protections
- Patients cannot access their records
- Unauthorized third party disclosures or use of PHI beyond than the minimum necessary
- No technological or administrative safeguards for ePHI
What is a HIPAA violation?
Any data breach of the required compliance program of a provider or organization that compromises the integrity of either ePHI or PHI is a HIPAA violation. However, not every data breach is also a HIPAA violation.
When an incomplete, ineffective, outdated, or non-existent HIPAA audit compliance program—or a direct violation of functional HIPAA policies—causes a data breach, that breach becomes a HIPAA violation.
- A hospital employee uses an unencrypted company laptop to work. It has access to medical records on it.
- A data breach relating to the unencrypted company laptop occurs.
- The HIPAA violations, against the employer hospital, concern a) the lack of encryption, b) the lack of a policy barring laptops being taken off site without being encrypted, and possibly c) how much access the device and/or employee have, in some situations.
The HIPAA Breach Notification Rule distinguishes between two types of data breaches and instructs covered entities and business associates how to respond to breaches.
A minor data breach is limited to a single jurisdiction and affects fewer than 500 individuals. The HIPAA Breach Notification Rule requires all entities subject to HIPAA to collect data on every minor breach for the year, and report them within 60 days of the end of that calendar occurrence year to HHS OCR. Any individuals affected by a minor breach must be notified that their data was involved within 60 days of discovery of the breach.
A meaningful data breach affects is still limited to a single jurisdiction, but affects more than 500 individuals. The breach notification rule requires all entities subject to HIPAA: notify any affected individuals upon discovery; report all meaningful breaches to HHS OCR within 60 days of discovery; and contact local media and law enforcement agencies immediately, to better alert potentially affected individuals.
The HHS posts all meaningful breaches on the HHS Wall of Shame or Breach Notification Portal, a permanent, searchable database of all such meaningful breach HIPAA violations that have occurred in the US since 2009. This archive serves as a concrete consequence for more serious HIPAA violations that have the potential to hurt brands who don’t protect patient information.
What are the Types of HIPAA Compliance Violations?
Common causes of HIPAA fines and violations include: lost or stolen laptops, mobile devices, phones, USB devices, and other hardware; ransomware attacks, malware incidents, and other hacking and cybersecurity breaches; business associate breaches; sending PHI to the wrong person in error; EHR breaches; office or facility break-ins; and social media posts, discussions outside the workplace, and other employee misconduct.
Typically, these HIPAA violations fall into several categories:
- Use and disclosure
- Improper security safeguards
- Access controls
- The minimum necessary rule
- Notice of Privacy Practices (NPP)
Use and disclosure violations have to do with improper distribution of PHI or ePHI by a covered entity or business associate to an incorrect party. For example, if a medical facility mailed patient PHI without their permission to the patient’s employer, this would be a HIPAA violation.
If the standards of the HIPAA Security Rule are not followed properly, improper HIPAA safeguards can result in a HIPAA violation. For example, to prevent HIPAA violations, covered entities and business associates must use proper physical, administrative, and technical safeguards to keep PHI and ePHI secure from cybersecurity attacks and ransomware.
The minimum necessary rule, part of the HIPAA Privacy Rule, states covered entity employees may only use, access, transmit, and handle the minimum amount of PHI they need to complete their task. If any unnecessary exposure of PHI takes place due to failure to follow the minimum necessary rule, it can be a HIPAA Privacy Rule violation and fine.
Access controls limit how many organizational employees have access to PHI. PHI access should be limited based on the employee’s specific roles and responsibilities; overly broad access controls are unnecessarily risky and can be the subject of HIPAA violations and fines.
The HIPAA Privacy Rule requires a Notice of Privacy Practices (NPP). Before starting treatment, covered entities must allow patients to review and agree to the NPP which should be posted in plain sight.
What is the Penalty for a HIPAA Violation?
Penalties for HIPAA breaches vary according to the level of culpability, the nature of the HIPAA violation, and the amount of assistance provided to HHS during breach investigations. The HITECH Act of 2009 originally implemented these HIPAA penalties which increase each year for inflation.
The HIPAA Enforcement Rule describes four penalty tiers for HIPAA noncompliance violations:
- First Tier fines range from $100 to $50,000 per incident, and up to $25,000 per year. These fines apply when the entity did not know of the violation, and could not have reasonably known about it.
- Second Tier fines range from $1,000 to $50,000 per incident and up to $100,000 per year. These fines apply when the entity did not act with willful neglect, but knew of the violation, or would have known by exercising reasonable diligence.
- Third Tier fines range from $10,00 to $50,000 per incident and up to $250,000 per year. These fines apply when OCR finds the entity acted with willful neglect although they did possibly mitigate damage by correcting the problem within 30 days of the breach.
- Fourth Tier fines start at $50,000 per incident; penalties can be as much as $1.5 million per year. These fines apply when the entity acted with willful neglect and then potentially worsened the problem by failing to remedy the issue in a timely way.
In cases where the HHS finds deliberate malicious intent, the Department of Justice may file criminal charges. In these situations there are multiple tiers of criminal violations just as there are with civil penalties for noncompliance, and some can result in jail time for violators.
Ignorance of the HIPAA compliance requirements is not a defense against HIPAA violation penalties that the OCR issues. Fines for non-compliance with HIPAA will stand under the law regardless of whether the violations are accidental or the result of bad faith.
Find a complete list of the most recent civil monetary penalties for HIPAA violations here.
How to Become HIPAA Compliant
The full text of HIPAA (45 CFR Parts 160, 162, and 164) has been condensed into 115 pages by the Office for Civil Rights (OCR) of the HHS. Technically, to ensure full HIPAA compliance you will need to apply the rules set forth in that text to your business. This is a huge task, and since any HIPAA compliance checklist should cover all provisions of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, a HIPAA audit checklist may be a good place to start.
Third-party HIPAA compliance security providers can also assess your policies, procedures, and practices to help your organization become HIPAA compliant. HIPAA compliance services can also assist your organization in selecting the right software for HIPAA compliance and other HIPAA compliance solutions.
Any HIPAA compliance strategy is likely to include several core components:
Create Privacy and Security Policies for the Organization
To achieve HIPAA compliance, covered entities and business associates must create privacy and security policies to prove that they have actively worked to prevent HIPAA violations. They must also document these policies, communicate their substance to staff, and update them regularly. During orientation and at least once a year, organizations must train staff on HIPAA policies, and employees must confirm in writing that they understand those policies and procedures.
HIPAA requires healthcare providers to create and distribute a Notice of Privacy Practices (NPP) form. Patients must review the covered entity’s privacy policies in the NPP and sign the form indicating they understand how PHI is handled. They should also acknowledge that they are aware of their right to access copies of their PHI, and understand how to do that.
Name a HIPAA Privacy Officer and a HIPAA Security Officer
Healthcare organizations should name an internal HIPAA expert in the form of a HIPAA privacy officer to manage keeping up with changes in HIPAA legislation, and the development, implementation, and annual updating of privacy policies. The HIPAA privacy officer also updates and manages BAAs, maintains NPPs, schedules self-audits and training sessions, and otherwise ensures organizational compliance with the HIPAA Privacy Rule.
HHS also recommends that larger organizations manage oversight and guide policy creation through a privacy oversight committee. Members of the committee must all stay abreast of changes to HIPAA regulations and undergo regular training.
Covered entities must also have a HIPAA security officer or HIPAA compliance officer who ensures there are procedures and policies in place to detect, prevent, and respond to data breaches involving ePHI. The HIPAA security officer establishes which safeguards the HIPAA Security Rule requires for the organization and gauges their effectiveness by conducting risk assessments.
Implement Security Safeguards
The security rule requires that covered entities and business associates secure ePHI using three types of safeguards: physical safeguards, technical safeguards, and administrative safeguards.
Organizations must secure and control access to physical facilities where they store ePHI and all devices and workstations that transmit or store ePHI. What physical safeguards are needed?
Control facility access (mandatory). Track the specific individuals with physical access to data storage carefully, including engineers and managers, but also repair, support, and custodial team members. Take all reasonable steps to block unauthorized entry.
Manage workstations (mandatory). Specify appropriate workstation use, describe how a screen should be guarded against parties at a distance, and limit which workstations can access health data as part of a formal workstation policy.
Protect mobile (mandatory). Ensure the organization’s mobile device policy removes data before circulating a device to another user.
Track servers (recommended). Inventory all infrastructure in an inventory, along with location information. Before moving servers, make a complete copy of all data.
Organizations must secure ePHI in the EHR and other databases by deploying access controls and encrypting data both during transit and at rest. They must ensure ePHI is not improperly edited or deleted using integrity controls. And organizations must also ensure they meet HIPAA network requirements using audit controls for all software and hardware that manage or transmit ePHI.
What technical safeguards are needed?
Network encryption (mandatory). Encryption of any ePHI that meets NIST standards any time the ePHI leaves the internal network.
Control access (mandatory). Assign a unique, centrally-controlled username and PIN code for each user to access the systems. Create procedures for disclosing or releasing ePHI during an emergency.
Authenticate ePHI (recommended). Identify and authenticate ePHI and safeguard it against unauthorized changes, corruption, and accidental destruction.
Encrypt devices (recommended). Especially important for laptop and mobile devices, all end-point devices that access the system should be able to encrypt and decrypt data.
Control activity audits (recommended). To monitor how ePHI data is manipulated and track all ePHI access attempts, detailed logs and activity audits are essential.
Enable automatic logoff (recommended). Enable automatic logoff of users, typically between 30 seconds and 3 minutes, depending on the application or system. HIPAA compliant apps generally all have automatic logoff enabled.
Organizations must adopt an information access management system, designate security personnel, document security management processes, provide workforce security training, and assess all security protocols periodically.
What administrative safeguards protect ePHI? Several mandatory administrative safeguards, and a few that are addressable:
Risk assessment (mandatory). Identify, analyze, create then put measures in place to resolve the actions by completing a comprehensive risk assessment for all health data.
Systematic risk management (mandatory). Reassess risk assessment at regular intervals and implement measures to reduce risks to an appropriate level. Create a sanctions policy for employees who fail to comply with HIPAA privacy standards.
Build contingencies (mandatory). A preparation process that safeguards data assists in responding to disasters and achieving ongoing business continuity.
Block unauthorized access (mandatory). Ensure that parties such as parent companies or subcontractors that have not been granted access cannot view ePHI. Complete business associate agreements with all partners.
Train your staff (recommended). Train employees on all ePHI access protocols and identifying potential cybersecurity risks such as hacking, phishing, and deception. Keep a record of these sessions.
Test your contingencies (recommended). Test your contingency plan regularly as it relates to all key software and adopt a restoration policy and backup system.
Document all security incidents (recommended). Apart from the breach notification rule, which addresses only successful hacks, recognize, document, and report all security incidents, including those that are stopped internally before data is breached.
Implement Privacy Safeguards
HIPAA’s privacy rule, which is actually called, “Standards for Privacy of Individually Identifiable Health Information,” protects PHI. Implement it as follows:
Respond promptly (mandatory). Under HIPAA organizations have only 30 days to respond to patient access requests.
Notice of Privacy Practices (mandatory). NPPs are required to inform subscribers and patients of data sharing policies.
Do not succumb to corruption (mandatory). Take appropriate steps to maintain the integrity of individual personal patient identifiers and ePHI.
Get authority (mandatory). Get patient permission to use redacted ePHI for fundraising, research, or marketing.
Update your copy (mandatory). Include ePHI restriction in disclosure to health plans, a reference to changes in the treatment of school immunizations, and the right of patients to their electronic records in your authorization forms.
Privacy training (required). Beyond other training, ensure your personnel understands which data can be shared, whether internally, externally, or both, and which data cannot be shared.
Conduct Risk Assessments and Self-Audits Regularly
Realize that HIPAA compliance is an ongoing process, not a one-time event. Covered entities and business associates are required by HHS to conduct regular audits—at least annually—of all physical, technical, and administrative safeguards. Once they identify gaps in compliance, organizations must create and document remediation plans that detail clearly how and when they plan to correct HIPAA violations.
Maintain Business Associate Agreements
Before sharing PHI with business associates, covered entities must enter a BAA to obtain satisfactory assurances that the business associates can effectively safeguard the data and remain HIPAA-compliant. Covered entities must review and update all BAAs annually.
The HIPAA Omnibus Rule provides additional requirements for covered entities and business associates:
Update your BAA (mandatory). Refresh your BAAs to reflect changes from the Omnibus Rule.
Send new BAA copies (mandatory). Acquire signed copies of the refreshed, omnibus compliant BAA.
Update Notice of Privacy Practices (mandatory). NPPs must be updated to include the right to opt-out of correspondence for fundraising purposes, the types of information that require an authorization, and new breach notification requirements.
Finalize your training (recommended). Ensure all staff are trained on all Omnibus Rule changes.
Establish a Breach Notification Protocol
A HIPAA violation may not always mean serious trouble for an organization, particularly if they can prove it was an unintentional breach and they did everything possible to prevent breaches like it. However, it is always a problem to fail to report breaches.
The HIPAA Breach Notification Rule requires covered entities and business associates to notify patients whose PHI may have been compromised and report all breaches to OCR. HIPAA requires these organizations to create and document a breach notification process that explains how they will comply with the Breach Notification Rule.
A breach notification message must contain four elements:
- A description of the personal identifiers and other ePHI involved in the breach
- Whether details were merely viewed or actually taken or acquired, if known
- Who gained unauthorized access to PHI, if known
- How successful risk mitigation has been
Document All Actions and HIPAA Compliance Issues
Organizations are required to document all HIPAA compliance efforts, including security and privacy policies, self-audits, risk assessments, remediation plans, and staff training sessions. During HIPAA complaint investigations and HIPAA audits, OCR reviews all of this documentation, and having it also makes staying on top of all HIPAA audit requirements simpler for the team.
HIPAA compliance is part of any healthcare organization’s mission critical business, because it protects patient privacy as well as the business and reputation of the provider. HIPAA compliance audit tools such as HIPAA compliance audit software is essential to the documentation stage. Some healthcare organizations choose HIPAA compliance audit services instead, but most large organizations do use some form of reporting tool.
What Should a HIPAA Risk Assessment Consist Of?
There is a lack of guidance throughout the HIPAA standards concerning what a HIPAA risk assessment should include. However, OCR does offer guidance concerning a HIPAA risk assessment’s objectives:
- Identify the PHI, including any PHI shared with vendors, consultants, and business associates, that your organization receives, creates, stores, and transmits.
- Identify natural, human, and environmental threats to the PHI’s integrity. Human threats should include both intentional (malware, hacking) and unintentional threats (lost device).
- Assess existing protective measures designed to protect PHI i
ntegrity, and how likely a “reasonably anticipated” breach is to occur.
- Analyze a PHI breach’s potential impact and assign a risk level to each potential occurrence based on the average of the assigned impact and likelihood levels.
- Document the results and implement procedures, policies, and corrective measures as needed to achieve or maintain HIPAA audit compliance.
- The HIPAA risk assessment must be kept for a minimum of six years, including all documentation, procedures and policies subsequently implemented, the rationale for the measures, and all other policy documents.
As mentioned above, a HIPAA risk assessment is not a one-time event, but a required ongoing process. Completing the HIPAA risk assessment and analyzing the results also assists organizations with many other HIPAA compliance areas. Organizations should review HIPAA risk assessment results routinely, and when changes to work practices, the workforce, or technology occur.
The transmission of unsecured ePHI across open networks and the theft or loss of mobile devices holding unencrypted data account for the vast majority of ePHI breaches. However, although not required in every case by current HIPAA regulations, encrypting all ePHI to NIST standards renders breaches of this kind easily avoidable.
Data encryption renders transmitted and stored data unusable in the event of loss or theft. If data encryption is not implemented, suitable alternatives should be used.
What is HIPAA Compliance Certification?
Although there is no official HHS-mandated requirement for HIPAA certification or HIPAA certification accreditation process, some organizations claim to be “certified HIPAA compliant.” This typically means they have successfully completed a third-party HIPAA compliance program and have implemented compliance mechanisms. Although no official HIPAA certification process or accreditation from HHS exists, such a program would be beneficial and save time and money, because HIPAA compliance certification understanding of and compliance with HIPAA regulations on the part of a covered entity or business associate. This kind of third-party option is a reasonable alternative.
Vendors that have developed services or products that would benefit healthcare organizations must provide reasonable assurances that they are aware of HIPAA requirements before covered entities may work with them. They will need to prove via a business associate agreement that they have trained staff on HIPAA guidelines, implemented appropriate privacy protections, and acquired secure technology for use with the ePHI.
A third-party HIPAA compliance certification can clarify which potential vendors are already HIPAA compliant. This eliminates the need for additional due diligence regarding reasonable assurances.
What is HIPAA Compliance Software?
HIPAA compliance software is designed to create a framework for guiding covered entities and business associates through the HIPAA compliance process, and ensuring ongoing HIPAA compliance and compliance with HITECH Act rules.
This type of HIPAA compliance tracking software assists compliance officers in navigating HIPAA’s contours and satisfying all provisions of the HIPAA security, privacy, breach notification, and omnibus rules. The software also maintains full documentation of all compliance activities, helping user organizations prove they have made a good faith effort to comply with HIPAA while reducing HIPAA compliance audit costs.
The end goal of this type of comprehensive software for HIPAA compliance is to stand up to HIPAA reporting requirements and potentially an OCR audit. Should the organization be investigated or audited concerning a data breach, HIPAA compliance management software works like a HIPAA compliance toolkit to ensures the organization can demonstrate: its policies and procedures are accurate and compliant; it has addressed every aspect of HIPAA; it has implemented appropriate physical, technical, and administrative safeguards; it has trained the staff; and it is assessing and maintaining all safeguards over time.
It is important to realize that using HIPAA audit software does not automatically absolve organizations of responsibility for all employee HIPAA violations. However, regulators do consider the good faith efforts of a covered entity or business associate to comply with HIPAA when deciding on an appropriate sanction—if one is appropriate at all.
Although the phrases HIPAA compliant software and HIPAA compliance software may be used interchangeably by some vendors, the two are very different things.
HIPAA compliance software is, as described, an application, software package, or service that guides users through the HIPAA compliance process in some way. This kind of HIPAA compliance software may address specific elements of HIPAA compliance such as a package that provides risk assessments. Another type of software useful in this context may perform a relevant function such as audit-focused record keeping and data collection. A third type of HIPAA compliance software might offer a total HIPAA compliance solution.
In contrast, HIPAA compliant software merely refers to any app, software, or service intended for use by healthcare providers and organizations that meets HIPAA requirements due to its security and privacy safeguards. For example, hosting services, secure messaging solutions, and secure HIPAA cloud storage services might all be HIPAA compliant software—but they do not relate to achieving HIPAA compliance directly. The user of these HIPAA software solutions retains the responsibility to use them in HIPAA-compliant ways.
Why HIPAA is Important
HIPAA introduced several important benefits for the healthcare industry to ease the transition from paper to electronic health records. HIPAA has helped to improve efficiency in the healthcare industry, streamline administrative healthcare functions, and ensure protected health information is shared securely.
HIPAA standards require all covered entities to use the same code sets and nationally recognized identifiers for recording health data and electronic transactions. This ensures more seamless transfer of electronic health information between health plans, healthcare providers, and other covered entities.
The greatest benefits of HIPAA accrue to patients. HIPAA ensures that healthcare clearinghouses, healthcare providers, health plans, and business associates of covered entities implement multiple safeguards to protect sensitive health and personal information.
Although ideally no healthcare organization intends to expose, lose or risk theft of health information or sensitive data, without HIPAA they are not required to safeguard data, and if they fail to, there are no consequences.
HIPAA requires that healthcare organizations restrict who can view health information, control access to health data, and limit who health information can be shared with. Any information disclosed to health plans and healthcare providers, and data that is created, stored, or transmitted by them, is subject to HIPAA’s strict security controls. HIPAA also gives patients control over who their healthcare providers disclose their information to.
HIPAA allows patients to obtain copies of their health information and take more control over their healthcare, checking for errors and requesting that mistakes are corrected. The ability to access a copy of health information also helps patients when they seek treatment from new healthcare providers, because tests need not be repeated, and the entire health history can inform the decisions of the new provider. Before HIPAA, healthcare organizations were not required to release copies of patients’ health information.
How to Stay HIPAA Compliant
It is certainly possible to implement appropriate policies, procedures, and safeguards to achieve HIPAA compliance. However, remaining HIPAA compliant can be challenging, particularly because HIPAA compliance is an ongoing process.
Several factors are key to maintaining HIPAA compliance:
- Ongoing assessment and regular risk analyses to determine whether safeguards remain effective and staff understand their PHI and HIPAA responsibilities;
- Identification of new risks to availability, integrity, and confidentiality of PHI, and mitigation of those risks;
- Documentation in detail of all compliance efforts for regulator inspection in the event of a PHI breach, a HIPAA complaint, or a HIPAA audit; and
- Use of HIPAA compliance software and other third-party HIPAA compliance solutions to provide staff training, conduct internal audits, conduct ongoing HIPAA risk analyses, and perform documentation checks.
Who Enforces HIPAA?
The Office for Civil Rights (OCR) of HHS enforces HIPAA security and privacy rules. For most covered entities, enforcement of the privacy rule began in 2003. Since 2003, OCR has obtained a range of corrective actions from covered entities. The Security Rule applies to HIPAA covered entities starting in 2005, and OCR became responsible for enforcing it in 2009.
HIPAA Compliance in the COVID-19 Context
Clearly, healthcare provision is significantly different during a pandemic as is HIPAA compliance during a disaster. Both are also poised to change significantly over the coming years. Maintaining privacy and HIPAA compliance will likely become more difficult.
As of March 15, 2020, a very limited HIPAA waiver tailored for the pandemic has been in place concerning certain provisions of the HIPAA Privacy Rule:
- 45 CFR 164.510(b): This covers requirements to obtain patient agreement before speaking with people involved in the patient’s care such as family members or friends
- 45 CFR 164.510(a): The requirement to honor opt out requests for facility directories
- 45 CFR 164.520: The requirement to distribute NPPs
- 45 CFR 164.522(a) and (b): The patient’s right to request privacy restrictions and right to request confidential communications, respectively
This HIPAA waiver applies only: for hospitals that have implemented their disaster protocol; in areas covered by the public health emergency; and for one 72 hour period from the time the disaster protocol is implemented. When either the HHS or Presidential declarations terminate, even if 72 hours have not elapsed, hospitals must then comply with Privacy Rule requirements once more for patients still in their care.
A rising number of online healthcare provider visits has also made data protection more difficult. However, OCR states that covered health care providers can provide telehealth to patients during the COVID-19 nationwide public health emergency using any non-public facing, audio or video remote communication product. This includes Google Hangouts video, Zoom, FaceTime, and Facebook Messenger Chat. If possible, providers should use HIPAA-compliant platforms.
Public-facing platforms are not the same. The Notice of Enforcement Discretion does not apply to these video and chat platforms—for example, TikTok or Facebook Live.
Use and Disclosures of PHI
In a public health emergency for limited reasons, PHI can be disclosed without patient authorization. Disclosures are also permitted for treatment purposes, for patient referrals, for coordinating and managing care, and for consultations with other healthcare professionals.
The infectious nature of COVID-19 makes it essential for public health authorities such as the Centers for Disease Control and Prevention (CDC), covered entities, and public safety officials to share information to ensure public health and safety. To protect public safety, it is sometimes permissible for these actors to share PHI without obtaining patient authorization to help prevent and control injury, disease, and disability.
If such disclosures are permitted by other laws, disclosures of PHI without patient permission are also permitted to mitigate or prevent an imminent, serious threat to the public in general or a specific person. In such situations, healthcare professionals should decide whether to make these disclosures using their professional judgement and discretion to judge the severity and nature of the threat.
In March 2020, OCR provided further guidance in the context of COVID-19 for covered entities on permitted disclosures of PHI that do not require a HIPAA authorization. These disclosures may be made to law enforcement officers, first responders, paramedics, and public health authorities.
Essentially, disclosures of minimal PHI related to risk of contracting COVID-19 necessary to allow individuals to safely provide treatment or services are permitted. For example, in the guidance document, examples of permitted disclosures include EMS personnel receiving a list of COVID-19 positive individuals from EMS dispatch to safely respond to a call where there is a risk of infection. The focus is on allowing essential workers enough information to use personal protective equipment (PPE) and take other appropriate precautions.
Aside from what is described in that document, any PHI disclosed by healthcare providers is controlled by the minimum necessary rule, sometimes called the minimum necessary requirement or minimum necessary standard. This rule simply states that covered entities should make reasonable efforts to limit access to PHI to only the minimum necessary to achieving the particular purpose, request, or use for the disclosure.
Does Shujinko Offer a HIPAA Compliance Software Solution?
Shujinko’s AuditX™ SaaS platform translates complex standards requirements like those set forth by HIPAA into easily understandable tasks resulting in organized, simple, faster audits.
The AuditX platform is designed to support a broad range of standards frameworks including HIPAA, HITRUST, GDPR, CCPA, FedRAMP, and custom controls as well as NIST CSF, PCI DSS, ISO 27001, and SOC 2 (Type I and II).
AuditX systematically automates evidence collection, guides users through the audit preparation process, and tracks overall audit readiness and progress to ensure critical deadlines are met. Customers can achieve compliance 3x faster with this HIPAA audit tool, freeing up scarce engineering resources to focus on critical business priorities.
With the “push of a button”, the extensible software automation engine crawls and collects key evidence for security and compliance audits directly from AWS, Azure, and GCP cloud infrastructure. The results come to you in organized, formatted, auditor-ready .pdf reports.
The automated evidence collection engine architecture is designed to be extensible across API accessible services, clouds, and 3rd party systems. It is scalable, rapidly processing extremely large jobs, and robust for large complex enterprise environments.
Users deploy AuditX across IT environments in Azure, AWS, GCP, and on-premises/in-house. A complement to any existing GRC tools in use, customers use AuditX for evidence collection, audit preparation and readiness, and creation of HIPAA compliance audit reports, and the AuditX SaaS platform is designed for easy API integration.
Learn more about how AuditX can help you automate audit preparation and achieve HIPAA compliance.
Automate Audit Preparation
Get ahead of your upcoming audit deadlines and compliance initiatives. Ditch the shared spreadsheets, back and forth email, and unclear evidence requests. Start working with Shujinko’s AuditX tool to simplify, automate, and modernize audit preparation for your cloud-first enterprise.