A Comprehensive Guide to HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 is a set of regulatory standards that aims at safeguarding sensitive patient data from healthcare providers. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and the provisions of the Act are enforced by the Office for Civil Rights (OCR). 

A PHI encompasses information such as patient details, electronic records, medical records, Social Security numbers, names, addresses, and more. The OCR investigates HIPAA violations that compromise the integrity of protected health information (PHI) and levies appropriate fines based on a tiered structure. 

Recent HIPAA enforcement cases such as when, Lifespan Health System was required to pay $1,040,000 for a breach of electronic PHI (ePHI) after the theft of an unencrypted laptop that affected 20,431 people demonstrates the consequences of data breaches and the importance of data protection and information security. 

Hence, being HIPAA compliant is significant for the organization to enact appropriate security measures. In this article, we will explain how to be HIPAA compliant and share a step-by-step HIPAA compliance checklist that encompasses everything you need to know.

What is HIPAA compliance?

HIPAA compliance involves the process that covered entities and business associates must follow to protect and safeguard protected health information (PHI) as is required for HIPAA certification.

Entities that process PHI should establish physical networks and process security measures ensuring HIPAA and protecting patient data privacy. Covered entities, business associates and individuals with access to PHI are also bound to follow these requirements to pertain to the HIPAA compliance regulations.

Who is required to be HIPAA compliant?

HIPAA compliance has become more important than ever because healthcare providers and associated entities are moving to electronic data collection, processing, and storage, increasing the risk of data breaches. Being compliant involves meeting the requirements of HIPAA, its amendments, and related legislation like HITECH. Entities that are required to be HIPAA compliant include:

Covered entities – Any company that provides treatment, operations, and payment in healthcare and consequently creates, collects, or transmits PHI electronically is considered a covered entity. Examples are hospitals, nursing homes, health care providers, medical care entities, health insurance providers, and health care clearinghouses.

Business associates – Any company that has access to PHI and provides support in the form of treatment, operations, or operations is considered a business associate. Examples include cloud storage providers, third-party service providers, billing firms, IT providers, practice management companies, email hosting services, managed service providers, and electronic health record (EHR) platforms.

These covered entities are subjected to HIPAA and are expected to implement security measures that safeguard the PHI. Failure to comply might result in legal consequences.

HIPAA rules you need to follow

HIPAA rules are a set of guidelines and regulations established to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI). Moreover, HIPAA rules give patients certain rights regarding their healthcare information. Different types of HIPAA rules are listed below: 

• The HIPAA Privacy Rule puts in place national security standards for safeguarding patients’ rights to PHI, giving the patient a copy of the HIPAA release form. It applies only to covered entities. (Read more on HIPAA privacy rule)

• The HIPAA Security Rule is a national standard for protecting the handling, transmission, and maintenance of ePHI. Covered entities and their business associates are subject to this rule. (Read more on HIPAA security rule)
  
• The HIPAA breach notification rule instructs organizations about how to act and what to do in case of a data breach and the reporting of breaches. (Read more on HIPAA breach notification rules)
  
• The HIPAA Transaction Rule was introduced to protect healthcare services and related entities to take necessary security steps to protect the integrity of ePHI while performing various transactions.
  
• The HIPAA enforcement rule was introduced to increase the civil and criminal penalties for data breaches. Also, it mandates federal privacy and security breach reporting requirements. (Read more on HIPAA enforcement rule)
  
• The HIPAA identifiers rule was introduced to ensure that organizations only share PHI with legitimate organizations. Every organization should identify itself with a unique identification number, ensuring that organizations only share the requested PHI with HIPAA-recognized entities. (Read more on HIPAA identifiers)
  
• The Omnibus Rule, also known as the HIPAA final rule, was incorporated as an update to HIPAA regulations, such as new requirements for breach notifications were established with the intention of bolstering existing controls. (Read more on Omninus rule)

Aspects to consider for effective HIPAA compliance 

The importance of adhering to an effective HIPAA Compliance program cannot be overstated. The HHS Office of Inspector General (OIG) established the Seven Elements of an Effective Compliance Program, which is intended to help companies evaluate compliance solutions or build their own compliance programs. 

In addition to meeting HIPAA Privacy Rule and Security Rule standards, an effective compliance program should be able to handle these seven elements:

• Implementing written policies and procedures with respect to a code of conduct/ethics, corporate compliance program, disaster recovery plan, and training, acknowledgment, and corrective action plans
• Assigning a compliance officer and setting up a compliance committee
• Building open lines of communication
• Imparting effective education and HIPAA training
• Performing internal auditing and monitoring to check for relevance
• Enforcing through well-publicized disciplinary guidelines
• Reacting promptly to violations and executive corrective action plans

During OCR investigations of HIPAA violations, federal HIPAA auditors will compare the company’s compliance program against these seven elements.  

Check out How Sprinto enabled Neurosynaptic to embrace compliance automation to swiftly complete HIPAA.

HIPAA compliance checklist

You will need a HIPAA compliance checklist to ensure that your company, service, or product incorporates the necessary physical, technical, and administrative safeguards of the HIPAA Security Rule. You also need to meet the standards set by the Privacy Rule and Breach Notification Rule

Let’s understand the five steps you need to take to achieve HIPAA compliance: 

Understand the HIPAA Privacy Rule

The first step is to become familiar with the HIPAA Privacy Rule, which has provisions for implementing safeguards to protect the privacy of PHI and setting limits on the access and use of PHI. The Rule also confers certain rights to patients over their PHI, such as the right to examine and obtain a copy of their health records and to request corrections.

Determine whether the Privacy Rule applies to you

Next, evaluate and confirm whether the Privacy Rule applies to your healthcare organization, practice, or business. The Privacy Rule safeguards individual PHI by regulating the practice of all covered entities, which include nurses, doctors, insurance providers, and lawyers.

Protect patient data

Now, understand what types of sensitive health data you need to safeguard and establish the appropriate security and privacy measures. 

The Privacy Rule denotes PHI as “individually identifiable health information” that is transmitted or stored by covered entities or their business associates. It can take any form—verbal, electronic, or paper. 

Individually identifiable health information is considered to include all information that deals with a patient’s mental health or physical condition, their healthcare requirements, and payment for their healthcare requirements. It also includes the patient’s demographic information. 

The Security Rule mandates three types of safeguards for PHI:

1. Technical 

They focus on the technology used to protect and provide access to ePHI. They also specify that ePHI, in transit or at rest, must be encrypted to NIST standards once it moves beyond the firewalled servers of a company. This makes the data undecipherable, unreadable, and unusable. 

Technical safeguards include:

• Implementing a means of access control
• Introducing a mechanism to authenticate ePHI
• Implementing tools for encryption and decryption
• Introducing activity logs and audit controls
• Facilitating automatic log-off of devices and desktops

Get ahead of breach scenarios

2. Physical

They center on physical access to ePHI regardless of its location. ePHI could be stored in the cloud, remote data centers, or on servers within the premises of the covered entity. They also specify how mobile devices and workstations should be protected against unauthorized access. 

Physical safeguards include:

• Facility access controls
• Policies for the use and access of workstations and mobile devices
• Inventory of hardware

3. Administrative 

They are the policies and procedures that bring together the Privacy Rule and the Security Rule. They mandate the assigning of a Privacy Officer and Security Officer to implement measures to protect ePHI and also govern the conduct of the workforce.  

Administrative safeguards include:

• Conducting HIPAA risk assessments
• Introducing a risk management policy
• Compliance training for employees to be secure
• Developing and testing a contingency plan
• Restricting third-party access
• Reporting security incidents

Also, find out the different components of HIPAA

4. Avoid possible HIPAA violations

HIPAA violations can occur in a variety of ways so take the time to understand what constitutes a violation and how you can prevent it. 

Being HIPAA-compliant does not mean preventing all data breaches; instead, it means lowering risks to an acceptable and appropriate level. 

HIPAA violations are commonly due to internal reasons and not external data breaches or hacks. Many violations are a result of negligence (such as failing to perform an organization-wide risk analysis) or inadequate compliance with the Privacy Rule.  

Violations may be deliberate or unintentional. Failing to issue a breach notification within the maximum time frame of 60 days after discovering a breach is a deliberate violation. Failing to properly configure software like Office 365 for HIPAA compliance is an unintentional violation. 

5. Data breaches under HIPAA

HIPAA standard considers any unauthorized possession, use, access, or release of protected health information that puts its privacy or security at risk to be a data breach. 

To prevent data breaches, you need adequate internal security measures and training as well as a robust cybersecurity program. 

6. Recognizing common HIPAA violations

You should be familiar with the variety of scenarios and cases that can trigger a violation. The 10 most frequently-occurring HIPAA violations are:

• Failure to conduct an organization-wide risk analysis
• Absence of a risk management process or failure to manage potential risks
• Snooping on healthcare records
• Refusing to give patients access to their health records or exceeding the timeframe for giving access
• Failure to form a HIPAA business associate agreement
• Exceeding the 60-day timeframe for putting out breach notifications
• Incorrect disposal of PHI
• Impermissible disclosures of PHI
• Failure to encrypt ePHI on portable devices
• Failure to implement ePHI access controls

7. Anticipating a minor breach

According to the HIPAA Breach Notification Rule, any affected patient or customer should be notified about the theft, compromise, or risk exposure of their PHI. 

In case of a minor breach, which is one that affects fewer than 500 people in a single jurisdiction, HIPAA requires you to gather data on all minor breaches that occur throughout a year and report them to HHS OCR  within 60 days of the end of the year in which they occurred. 

Affected individuals must be informed within 60 days of the breach discovery.

8. Prepping for a meaningful breach

Breaches that affect more than 500 individuals in a single jurisdiction are meaningful breaches. They must be reported to HHS OCR within 60 days of breach discovery. All affected individuals should be informed upon immediate discovery of the breach. Local law enforcement agencies and media agencies should also be notified immediately so that they can alert the affected people.

The HHS Wall of Shame is a permanent repository of all meaningful HIPAA violations in the United States since 2009. 

9. Being aware of fines and penalties

OCR prefers to resolve HIPAA violations through non-punitive methods like voluntary compliance or offering technical guidance to assist covered entities with non-compliant areas. However, if the violation is severe or has been allowed to linger for long, tier-based financial penalties are imposed:

Tier 1: A violation that the covered entity was not aware of and could not have realistically prevented. Reasonable care was taken to conform to HIPAA Rules. Fines of $100 – $50,000 per incident 

Tier 2: A violation that the covered entity should have been aware of but which could not be prevented even with a reasonable amount of care. Fines of $1,000 – $50,000 per incident

Tier 3: A violation that occurred due to willful neglect of HIPAA Rules, in instances where attempts were made to correct it. Fines of $10,000 – $50,000 per incident

Tier 4: A violation that occurred due to willful neglect, wherein no effort has been made to correct it. Fines of $50,000 and above

10. Meeting transaction standards

HIPAA requires all data transactions or transmissions to meet the X12 Data Exchange Standard. Some of the common transactions are:

• Claims status
• Coordination of benefits
• Payment and remittance advice
• Eligibility
• Referrals and authorizations

11. Stay updated with HIPAA changes

HIPAA compliance is an ongoing process so you need to stay up-to-date with the latest developments. The recent additions to HIPAA are:

• Allowing patients to examine their PHI in person and take notes or photographs
• Decreasing the maximum time for providing access to PHI from 30 days to 15 days
• Required entities must publish their fee schedule for PHI access and disclosure on their websites
• Enlarging the definition of healthcare operations to encompass care coordination and case management. 

3 Steps to implement HIPAA compliance

Implementing steps in your process can enhance your HIPAA compliance and help you effectively mitigate potential risks associated with non-compliance.

To help you get started few steps are listed below: 

1. Set up security policies and procedures: Implement cohesive HIPAA compliance policies to reduce errors in day-to-day activities that cover all aspects of handling the PHI. These policies should be regularly reviewed and updated to meet the regulatory requirements.

2. Implement Internal Audits: Perform regular risk assessments and internal audits to ensure continuous HIPAA compliance and to evaluate the likelihood of potential vulnerabilities and threats.

3. Establish and maintain protocols: Train healthcare associates and employees’ third-party vendors on HIPAA-related security protocols and document the function of employees, their desired roles, and the extent of their PHI use.

Looking to get audit-ready in weeks? Sprinto, a compliance automation solution, helps you align your controls with the requirements of HIPAA, monitor compliance posture in real-time, and gather crucial evidence to help you get audit-ready in a matter of weeks.

HIPAA Violations You Need To Know

Not all data breaches are HIPAA violations. If the data breach is caused by an outdated, ineffective, or incomplete HIPAA compliance program or a direct violation of the company’s HIPAA policy, then it becomes a HIPAA violation. 

The OCR issues fines on a sliding scale ranging from $100 – $50,000 per incident depending on the severity of the violation. If it finds that the investigated company deliberately committed a violation due to “willful neglect” of HIPAA Rules, it may levy heavy fines to the tune of $50,000+.

HIPAA violations may be discovered in three ways:

• OCR investigations into a data breach
• OCR investigations into complaints about covered entities or business associates
• HIPAA compliance audits

Take a look at these examples of penalties due to HIPAA violations to understand why compliance is important:

• Premera Blue Cross, the largest health plan in the Pacific Northwest, was fined $6.85 million for a 2014 data breach that compromised the ePHI of 10.4 million people. The OCR discovered a failure to conduct risk analysis and risk management. 
• University of California Los Angeles Health System, a healthcare provider, was fined $865,000 for failing to restrict access to medical records. Dr. Huping Zhou, an employee, accessed the records of celebrities and other patients without authorization and was the first physician to be jailed for a HIPAA violation. 
• Banner Health, one of the largest healthcare systems in the United States, was fined $200,000 for long delays in responding to patients’ requests for access to their medical records. 

Also, check out: Best HIPAA compliance software

Conclusion

HIPAA was developed to ensure the privacy of patient PHI, and its safeguards are intended to help healthcare organizations take necessary measures to secure patient data. HIPAA compliance may seem like a daunting task, but adopting a step-by-step approach with a compliance checklist will help you achieve it quickly. 

You can become HIPAA-compliant quickly and effortlessly with Sprinto’s assistance in crafting HIPAA policies, establishing controls, and collecting evidence. 

FAQ: HIPAA Compliance

What is not covered under HIPAA?

Though HIPAA requires covered entities to increase the effectiveness of healthcare delivery procedures through standards for electronic transactions and security precautions, it makes no particular mention of requirements for quality of care in its regulations.

What is HIPAA compliance in healthcare?

HIPAA compliance in healthcare involves fulfilling the requirements of HIPAA, its later amendments, and related laws like HITECH. Companies dealing with protected health information (PHI) should implement physical, process, and network security measures to be HIPAA-compliant. 

Is it mandatory to follow all HIPAA rules?

HIPAA is a regulatory requirement. This makes it mandatory for all healthcare organizations and entities to follow HIPAA rules without exception. Violation of any rule can lead to severe fines and penalties.

What are HIPAA violations?

HIPAA violations are breaches in a company’s compliance program that compromise the integrity of PHI or ePHI. Data breaches are HIPAA violations if they occur as a result of a direct violation of the company’s HIPAA policy or an ineffective or outdated compliance program.