HIPAA compliance is a significant talking point in the world of IT and data protection today. The Health Insurance Portability and Accountability Act (HIPAA) is a series of regulatory standards that outline the lawful use of PHI (protected health information).
HIPAA compliance specifically is regulated by the Department of Health and Human Services. It’s enforced by the Office for Civil Rights, and defined simply as a way of ensuring healthcare organizations are implementing the right actions and protecting the privacy, security, and integrity of PHI beyond installing the best firewall for their work Mac computers.
For Starters, What Involves Protected Health Information?
PHI is described as any kind of information that can be used to identify a patient or client of a HIPAA entity. Names, addresses, phone numbers, social security numbers, medical records, photos, and financial information are all included in the list–among plenty of others.
Entities That Must Be HIPAA Compliant
There are two types of organizations that must be compliant: covered entities and business associates:
Covered entities are any organization that collects, creates, or transmits PHI electronically. Healthcare providers, healthcare clearinghouses, and insurance providers are all good examples of this. Business associates are organizations that encounter PHI in any kind of way.
There are a lot more examples here due to the wide range of businesses that can be linked. Third-party consultants, a managed service provider, storage providers, cloud providers, hosting services, attorneys, and hundreds of other groups can be named in this long list.
What Do HIPAA Rules Consist of?
HIPAA rules that should be made aware are the Privacy Rule, the Security Rule, the Breach Notification Rule, and Omnibus Rule.
The HIPAA Privacy Rule applies only to covered entities and sets national standards for patients’ rights to PHI. Some of the standards include the patients’ rights to access the PHI, the healthcare providers’ right to deny access, and plenty more. All employees should be trained on the policies and procedures annually, with documented confirmation.
The HIPAA Security Rule deals with the maintenance, the transmission, and the handling of ePHI. It outlines the standards for the integrity of ePHI. This includes the physical, administrative, and technical safeguards that must be in place in any healthcare organization.
The HIPAA Breach Notification Rule is a set of standards that both covered entities and business associates have to follow whenever a data breach containing PHI or ePHI comes into play. Breaches of all sizes are to be reported to HHS and OCR. There are two different classifications: minor breaches and meaningful breaches.
Finally, the HIPAA Omnibus Rule was put in place to ensure business associates – as well as covered entities – are HIPAA compliant, while also outlining the rules surrounding Business Associate Agreements (BAAs). These are contracts that must be executed between a covered entity and business associate before any PHI or ePHI can be shared.
What Is Needed for HIPAA Compliance?
All covered entities and business associates must follow the HIPAA regulation outlines. They are as follows:
HIPAA requires both to conduct annual audits of their organization in order to assess gaps in compliance with HIPAA standards. A security risk assessment is not enough to be seen as compliant.
Once both covered entities and business associates have figured out the gaps in compliance through the self-audits, remediation plans must be implemented in order to reverse compliance violations.
They will be fully documented and include dates by which gaps will be handled. Policies and procedures corresponding to HIPAA regulatory standards must be developed next. They must be regularly updated to account for changes to the organization.
Annual staff training on these policies and procedures is mandatory. Staff must understand each of the policies and procedures. HIPAA-beholden organizations must then document all efforts they take to become HIPAA compliant.
Business associates and covered entities must document all vendors with whom they share PHI. They’ll then execute Business Associate Agreements to ensure PHI is handled in the correct manner. BAAs must be annually reviewed.
If a covered entity or a business associate has a data breach, they must go through a process to document each aspect of the breach and notify everyone involved. This is in accordance with the HIPAA Breach Notification Rule.
What Are the Elements of a Successful Compliance Program?
A successful compliance program will consist of seven elements. These elements were created by the HHS Office of Inspector General. They give guidance to organizations looking to vet solutions or create their own compliance programs.
The elements are as follows:
– The act of implementing written procedures, policies, and standards of conduct.
– Making sure everyone is trained and in full understanding.
– Designating a compliance officer and compliance committee.
– Creating and developing effective communication lines.
– Conducting internal monitoring and auditing.
– Responding quickly to detected issues and sharply taking action.
– Enforcing standards through disciplinary guidelines.
These seven points will be taken into account in order to judge the effectiveness of a compliance program each and every time a HIPAA investigation is carried out.
How Is HIPAA Violated?
Every time the integrity of PHI or ePHI is compromised, a HIPAA violation has been committed. A HIPAA violation differs slightly from a data breach. An example of a data breach is when an employee’s laptop is hacked and medical records are stolen.
A HIPAA violation occurs when the company whose laptop has been stolen does not have the correct policy in place to deal with theft or encryption.
There are plenty of ways a business can face these kinds of issues. Physical crimes such as stolen laptops, phones, USB devices, and many other pieces of digital hardware can all fall into this category.
Issues such as ransomware attacks, malware issues, and plenty of other hacking situations can also be included. Discussing PHI outside of the office or making social media posts are also part of this criteria. Even slight errors such as sending PHI to the wrong individual can cause problems.
These HIPAA violations fall into several categories: use and disclosure, access controls, notice of privacy practices, improper security safeguards, and the minimum necessary rule.