Ensuring Patient Privacy: A Guide to HIPAA Compliance

Key Points

• HIPAA compliance requirements involve meeting the standards set by the Privacy Rule, Security Rule, and Breach Notification Rule along with meeting the seven elements of an effective compliance program. A step-by-step compliance checklist helps companies become compliant efficiently. 

• HIPAA violations are fined based on a tier system ranging from $100 – $50,000+ per incident depending on severity. 

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of regulatory standards that intend to protect private and sensitive patient data from hospitals, insurance companies, and healthcare providers. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and the provisions of the Act are enforced by the Office for Civil Rights (OCR). 

The OCR investigates HIPAA violations that compromise the integrity of protected health information (PHI) and levies appropriate fines based on a tiered structure with corresponding caps. Criminal charges may be applicable for some incidents.

PHI is any demographic information that can be used to identify a patient or client of a HIPAA-beholden company. Examples include medical records, Social Security numbers, names, phone numbers, addresses, financial information, or full facial photos. 

The Safe Harbor provision, a part of the HIPAA Privacy Rule, outlines how PHI can be de-identified (i.e. certain identifiers about the patient and patient’s relatives, employers, and household members are removed). After de-identification, it is no longer considered PHI and no restrictions exist on its use or disclosure. The de-identified data can now be used in research and comparative studies. 

Consider these recent examples of HIPAA enforcement:

• A dental practice in North Carolina was fined $50,000 after a patient left a poor Google review anonymously and the practice, in its response, revealed the patient’s full name.

• Lifespan Health System was required to pay $1,040,000 for a breach of electronic PHI (ePHI) after the theft of an unencrypted laptop that affected 20,431 people.

Since the compliance date of the Privacy Rule in April 2003, companies have paid fines worth $131 million for failing to protect patient data as required by HIPAA. Thus, companies that handle PHI must implement physical, process, and network security measures to stay HIPAA-compliant. 

In this article, we will explain what HIPAA compliance is and share a step-by-step HIPAA compliance checklist that encompasses everything you need to know. 

What is HIPAA Compliance?

HIPAA compliance involves the process that covered entities and business associates must follow to protect and safeguard protected health information (PHI) as is required for HIPAA certification.

Covered entities are individuals who use and have access to PHI and business associates are individuals who work with covered entities in a non-healthcare capacity and have access to PHI. 

What are The HIPAA Compliance Requirements?

HIPAA compliance has become more important than ever because healthcare providers and associated entities are moving to electronic data collection, processing, and storage, increasing the risk of data breaches. 

Compliance involves meeting the requirements of HIPAA, its amendments, and related legislation like HITECH. Should there be a breach of PHI, HIPAA-beholden companies should follow the procedure outlined in the Breach Notification Rule. 

Two types of organizations must conform to HIPAA requirements:

1. Covered entities – Any company that provides treatment, operations, and payment in healthcare and consequently creates, collects, or transmits PHI electronically is considered a covered entity. Examples are healthcare providers, health insurance providers, and healthcare clearinghouses.

2. Business associates – Any company that has access to PHI and provides support in the form of treatment, operations, or operations is considered a business associate. Examples include cloud storage providers, third-party consultants, billing firms, IT providers, practice management companies, email hosting services, managed service providers, and electronic health record (EHR) platforms.

HIPAA consists of various HIPAA Rules, some of which are:

• The HIPAA Privacy Rule puts in place national standards for safeguarding patients’ rights to PHI, giving the patient a copy of HIPAA release form. It applies only to covered entities. 

• The HIPAA Security Rule establishes national standards for protecting the handling, transmission, and maintenance of ePHI. Covered entities and their business associates are subject to this rule. 

The Security Rule puts in operation the Privacy Rule’s protections by establishing the technical and non-technical safeguards that covered entities must implement to make ePHI safe. 

7 Important Points That Form an Effective HIPAA Compliance Program

The HHS Office of Inspector General (OIG) established the Seven Elements of an Effective Compliance Program, which is intended to help companies evaluate compliance solutions or build their own compliance programs. 

In addition to meeting HIPAA Privacy Rule and Security Rule standards, an effective compliance program should be able to handle these seven elements:

• Implementing written policies and procedures with respect to a code of conduct/ethics, corporate compliance program, disaster recovery plan, and training, acknowledgment, and corrective action plans
• Assigning a compliance officer and setting up a compliance committee
• Imparting effective education and HIPAA training
• Building open lines of communication
• Performing internal auditing and monitoring to check for relevance
• Enforcing through well-publicized disciplinary guidelines
• Reacting promptly to violations and executive corrective action plans

During OCR investigations of HIPAA violations, federal HIPAA auditors will compare the company’s compliance program against these seven elements.  

Also check out: Best HIPAA compliance software

HIPAA Compliance Checklist

You will need a HIPAA compliance checklist to ensure that your company, service, or product incorporates the necessary physical, technical, and administrative safeguards of the HIPAA Security Rule. You also need to meet the standards set by the Privacy Rule and Breach Notification Rule.

Let’s understand the five steps you need to take to achieve HIPAA compliance: 

Understand the HIPAA Privacy Rule

The first step is to become familiar with the HIPAA Privacy Rule, which has provisions for implementing safeguards to protect the privacy of PHI and setting limits on the access and use of PHI. The Rule also confers certain rights to patients over their PHI, such as the right to examine and obtain a copy of their health records and to request corrections.

Determine whether the Privacy Rule applies to you

Next, evaluate and confirm whether the Privacy Rule applies to your healthcare organization, practice, or business. The Privacy Rule safeguards individual PHI by regulating the practice of all covered entities, which include nurses, doctors, insurance providers, and lawyers.

Protect patient data

Now, understand what types of patient data you need to safeguard and establish the appropriate security and privacy measures. 

The Privacy Rule denotes PHI as “individually identifiable health information” that is transmitted or stored by covered entities or their business associates. It can take any form—verbal, electronic, or paper. 

Individually identifiable health information is considered to include all information that deals with a patient’s mental health or physical condition, their healthcare requirements, and payment for their healthcare requirements. It also includes the patient’s demographic information. 

The Security Rule mandates three types of safeguards for PHI:

1. Technical 

They focus on the technology used to protect and provide access to ePHI. They also specify that ePHI, in transit or at rest, must be encrypted to NIST standards once it moves beyond the firewalled servers of a company. This makes the data undecipherable, unreadable, and unusable. 

Technical safeguards include:

• Implementing a means of access control
• Introducing a mechanism to authenticate ePHI
• Implementing tools for encryption and decryption
• Introducing activity logs and audit controls
• Facilitating automatic log-off of devices and desktops

2. Physical

They center on physical access to ePHI regardless of its location. ePHI could be stored in the cloud, remote data centers, or on servers within the premises of the covered entity. They also specify how mobile devices and workstations should be protected against unauthorized access. 

Physical safeguards include:

• Facility access controls
• Policies for the use and access of workstations and mobile devices
• Inventory of hardware

3. Administrative 

They are the policies and procedures that bring together the Privacy Rule and the Security Rule. They mandate the assigning of a Privacy Officer and Security Officer to implement measures to protect ePHI and also govern the conduct of the workforce.  

Administrative safeguards include:

• Conducting HIPAA risk assessments
• Introducing a risk management policy
• Training employees to be secure
• Developing and testing a contingency plan
• Restricting third-party access
• Reporting security incidents

Also find out the different components of HIPAA

Avoid possible HIPAA violations

HIPAA violations can occur in a variety of ways so take the time to understand what constitutes a violation and how you can prevent it. 

Being HIPAA-compliant does not mean preventing all data breaches; instead, it means lowering risks to an acceptable and appropriate level. 

HIPAA violations are commonly due to internal reasons and not external data breaches or hacks. Many violations are a result of negligence (such as failing to perform an organization-wide risk analysis) or inadequate compliance with the Privacy Rule.  

Violations may be deliberate or unintentional. Failing to issue a breach notification within the maximum timeframe of 60 days after discovery of a breach is a deliberate violation. Failing to properly configure software like Office 365 for HIPAA compliance is an unintentional violation. 

Data breaches under HIPAA

HIPAA considers any unauthorized possession, use, access, or release of protected health information that puts its privacy or security at risk to be a data breach. 

To prevent data breaches, you need adequate internal security measures and training as well as a robust cybersecurity program. 

Recognizing common HIPAA violations

You should be familiar with the variety of scenarios and cases that can trigger a violation. The 10 most frequently-occurring HIPAA violations are:

• Failure to conduct an organization-wide risk analysis
• Absence of a risk management process or failure to manage security risks
• Snooping on healthcare records
• Refusing to give patients access to their health records or exceeding the timeframe for giving access
• Failure to form a HIPAA business associate agreement
• Exceeding the 60-day timeframe for putting out breach notifications
• Incorrect disposal of PHI
• Impermissible disclosures of PHI
• Failure to encrypt ePHI on portable devices
• Failure to implement ePHI access controls

Anticipating a minor breach

According to the HIPAA Breach Notification Rule, any affected patient or customer should be notified about the theft, compromise, or risk exposure of their PHI. 

In case of a minor breach, which is one that affects fewer than 500 people in a single jurisdiction, HIPAA requires you to gather data on all minor breaches that occur throughout a year and report them to HHS OCR  within 60 days of the end of the year in which they occurred. 

Affected individuals must be informed within 60 days of the breach discovery.

Prepping for a meaningful breach

Breaches that affect more than 500 individuals in a single jurisdiction are meaningful breaches. They must be reported to HHS OCR within 60 days of breach discovery. All affected individuals should be informed upon immediate discovery of the breach. Local law enforcement agencies and media agencies should also be notified immediately so that they can alert the affected people.

The HHS Wall of Shame is a permanent repository of all meaningful HIPAA violations in the United States since 2009. 

Being aware of fines and penalties

OCR prefers to resolve HIPAA violations through non-punitive methods like voluntary compliance or offering technical guidance to assist covered entities with non-compliant areas. However, if the violation is severe or has been allowed to linger for long, tier-based financial penalties are imposed:

Tier 1 – A violation that the covered entity was not aware of and could not have realistically prevented. Reasonable care was taken to conform to HIPAA Rules. Fines of $100 – $50,000 per incident 

Tier 2 – A violation that the covered entity should have been aware of but which could not be prevented even with a reasonable amount of care. Fines of $1,000 – $50,000 per incident

Tier 3 – A violation that occurred due to willful neglect of HIPAA Rules, in instances where attempts were made to correct it. Fines of $10,000 – $50,000 per incident

Tier 4 – A violation that occurred due to willful neglect, wherein no effort has been made to correct it. Fines of $50,000 and above

Meeting transaction standards

HIPAA requires all data transactions or transmissions to meet the X12 Data Exchange Standard. Some of the common transactions are:

• Claims status
• Coordination of benefits
• Payment and remittance advice
• Eligibility
• Referrals and authorizations

Stay updated with HIPAA changes

HIPAA compliance is an ongoing process so you need to stay up-to-date with the latest developments. The recent additions to HIPAA are:

• Allowing patients to examine their PHI in person and take notes or photographs
• Decreasing the maximum time for providing access to PHI from 30 days to 15 days
• Required entities must publish their fee schedule for PHI access and disclosure on their websites
• Enlarging the definition of healthcare operations to encompass care coordination and case management. 

What are HIPAA violations?

A HIPAA violation occurs when a covered entity or its business associates fail to abide by one or more provisions of the Privacy Rule, Security Rule, or Breach Notification Rule and compromises the integrity of PHI or ePHI. 

Not all data breaches are HIPAA violations. If the data breach is caused by an outdated, ineffective, or incomplete HIPAA compliance program or a direct violation of the company’s HIPAA policy, then it becomes a HIPAA violation. 

The OCR issues fines on a sliding scale ranging from $100 – $50,000 per incident depending on the severity of the violation. If it finds that the investigated company deliberately committed a violation due to “willful neglect” of HIPAA Rules, it may levy heavy fines to the tune of $50,000+.

HIPAA violations may be discovered in three ways:

• OCR investigations into a data breach
• OCR investigations into complaints about covered entities or business associates
• HIPAA compliance audits

Take a look at these examples of penalties due to HIPAA violations to understand why compliance is important:

• Premera Blue Cross, the largest health plan in the Pacific Northwest, was fined $6.85 million for a 2014 data breach that compromised the ePHI of 10.4 million people. The OCR discovered a failure to conduct risk analysis and risk management. 

• University of California Los Angeles Health System, a healthcare provider, was fined $865,000 for failing to restrict access to medical records. Dr. Huping Zhou, an employee, accessed the records of celebrities and other patients without authorization and was the first physician to be jailed for a HIPAA violation. 

• Banner Health, one of the largest healthcare systems in the United States, was fined $200,000 for long delays in responding to patients’ requests for access to their medical records. 

Conclusion

HIPAA was developed to ensure the privacy of patient PHI and its safeguards are intended to help healthcare organizations take necessary measures to secure patient data. HIPAA compliance may seem like a daunting task but adopting a step-by-step approach with a compliance checklist will help you achieve it quickly. 

You can become HIPAA-compliant quickly and effortlessly with Sprinto’s assistance in crafting HIPAA policies, establishing controls, and collecting evidence. 

Book a Sprinto demo today! 

FAQ: HIPAA Compliance

What is HIPAA compliance in healthcare?

HIPAA compliance in healthcare involves fulfilling the requirements of HIPAA, its later amendments, and related laws like HITECH. Companies dealing with protected health information (PHI) should implement physical, process, and network security measures to be HIPAA-compliant. 

Who needs to be HIPAA compliant?

Covered entities (individuals with access to PHI like doctors, nurses, and insurance companies) and business associates (individuals that support covered entities in a non-healthcare capacity and have access to PHI such as IT personnel, administrators, lawyers, and accountants) need to be HIPAA-compliant. Other entities like subcontractors or related business associates should also comply with HIPAA law. 

What are the HIPAA requirements?

HIPAA compliance requirements are intentionally vague because the HIPAA Rules apply equally to all covered entities and business associates that access, process, create, or store PHI. All HIPAA-beholden entities must have technical, administrative, and physical safeguards to protect the integrity of PHI as per the Privacy Rule and Security Rule. 

In case of a breach of PHI, the HIPAA Breach Notification Rule should be followed. 

What are HIPAA violations?

HIPAA violations are breaches in a company’s compliance program that compromise the integrity of PHI or ePHI. Data breaches are HIPAA violations if they occur as a result of a direct violation of the company’s HIPAA policy or an ineffective or outdated compliance program.