HIPAA has been around for over two decades now, and after numerous changes, HIPAA compliance needs to be ensured by healthcare organizations and those dealing with patient information. But what is HIPAA? How is it being used now? Why is HIPAA compliance crucial in the US healthcare system? What are the main HIPAA rules and who needs to ensure HIPAA compliance? These are the questions that the article will answer.
HIPAA – a brief introduction
HIPAA, or The Health Insurance Portability and Accountability Act, was established back in 1996. However, it was introduced to ensure insurance coverage for US workers who were between jobs back then. Prior to HIPAA being introduced, workers used to face a loss of insurance coverage whenever they were switching jobs.
However, times have changed, and HIPAA is primarily being used to safeguard sensitive patient data, known as PHI (Protected Health Information). HIPAA basically outlines which parties within an organization can access PHI and under what circumstances, as well as which ones are considered violations. HIPAA also gave patients of the US healthcare system the right to ask for copies of their own medical records to check for errors and share them. Thus, when an organization has to ensure HIPAA compliance, it basically means that the organization must have enough safeguards to restrict outsiders and unauthorized parties from accessing PHI, as well as following the other rules set by HIPAA.
Although all of this might sound simple, it is quite the opposite. HIPAA has a lot of rules and regulations to be followed, which can become quite an arduous task. Thankfully, there are solutions like HIPAAReady to simplify compliance management so that organizations can be better prepared for audits, but more on that later. HIPAA is overseen by HHS’ (Department of Health and Human Services) OCR (Office for Civil Rights), and the violations have to be reported to the OCR.
Why is HIPAA compliance important?
First of all, HIPAA sets the standards which organizations have to meet to safeguard PHI. But why is so much of HIPAA centered around PHI? For that, one needs to understand what characteristics are considered PHI. Names, phone numbers, email addresses, geographical characteristics, relevant dates, Social Security numbers, fingerprints/retinal/voiceprints, facial photographs, medical record numbers – these are just some of the items which are considered to be PHI. It can be clearly understood that these details be used to identify patients (either on their own or with another identifier). Not only does it hamper patient privacy, but it can also be used for other nefarious purposes. Several data breaches, both internal and external, occur every month where PHI is exposed. Hackers steal information and sell it to the black market, which is commonly used to commit medical identity theft. When organizations are ensuring HIPAA compliance, it means that they are committed to putting up enough safeguards to protect sensitive patient information from being improperly accessed or misused.
Other than that, failure to ensure HIPAA compliance leads to hefty fines as well as criminal charges along with civil action lawsuits. Fines can cost up to a maximum penalty of $1.5 million per year for each HIPAA violation. Even if a breach occurs, organizations need to report that to the OCR as well as the patients – it usually fines for noncompliance and does not take into account whether the violation was caused inadvertently or otherwise. Thus, ensuring HIPAA compliance is crucial within the US healthcare system for organizations dealing with PHI.
Who needs to ensure HIPAA compliance?
Basically, any organizations dealing with PHI need to ensure HIPAA compliance. Other than hospitals, there are other forms of organizations that deal with PHI, and all of these organizations can be classified as covered entities and business associates.
Healthcare providers, healthcare clearinghouses, and health insurance plans are generally categorized as covered entities. On the other hand, business associates are parties that are assigned by a covered entity to work with them, and that work entails that the firms have to deal with PHI.
The main HIPAA Rules
HIPAA Security Rule
This rule consists of the standards which are required to safeguard ePHI during transmission as well as when it is stored normally. This applies to any party, that is, either receiving, sending, modifying, or writing PHI. There are three types of safeguards that are required – technical safeguards, physical safeguards, and administrative safeguards.
Technical safeguards refer to the technology that is used to ensure the protection of the information. However, a requirement is that the ePHI has to be encrypted to NIST standards whenever it is transmitted outside the organization. This is to ensure that even if an unwanted incident occurs, say, a breach, the data will be useless for the culprits.
Physical safeguards emphasize on accessing ePHI physically and is not dependent on its location – whether the data is stored remotely, on the cloud, server, etc., the safeguards should be in place. It also requires the prevention of unauthorized access to mobile devices and workstations.
Administrative safeguards focus on putting measures in place to protect PHI as well as how it should be done and dictate who will have access to PHI. Conducting risk assessments, crafting a risk management policy, coming up with a contingency plan, and restricting access to outsiders are parts of the administrative safeguards.
HIPAA Privacy Rule
While the HIPAA Security Rule focuses on how to protect PHI, the HIPAA Privacy Rule focuses on the usage and disclosure of PHI. Earlier, it was only limited to covered entities. However, since 2013, business associates have to abide by the rule as well.
The HIPAA Privacy Rule dictates that there are ample safeguards in place to protect patient privacy and it also outlines limits regarding the usage and disclosure of patient information without a patient’s authorization.
HIPAA Breach Notification Rule
This requires that covered entities notify patients should they ever face a healthcare data breach, irrespective of it being from the inside or outside of the organization. It also requires that HHS should be notified regarding the breach within a stipulated time frame, and, if the breach affects over five hundred patients, the media should be notified as well. For breaches affecting under five hundred individuals, the OCR portal can be used for reporting.
The notifications should include the types of PHI exposed, the person who caused the breach, whether the data was stolen or seen only, and how the risks will be addressed. There are many types of HIPAA Breach Notification checklists that can help ensure compliance.
HIPAA Omnibus Rule
This basically updates areas that were ignored by earlier changes made to HIPAA. It provides a number of clarifications to existing regulations and ensures that business associates are also included into the mix. Earlier, only covered entities had to ensure HIPAA compliance, but with the introduction of the HIPAA Omnibus Rule, business associates also have to ensure it. It introduced standards for BAAs (Business Associate Agreements) which have to be executed prior to transmitting PHI between covered entities and business associates.
HIPAA compliance – is it possible?
One thing every organization dealing with PHI agrees on is that HIPAA compliance is an arduous task. The details above were only a simplified version of the rules which make up HIPAA – it is multilayered and much more complex than that. Even larger organizations have trouble ensuring HIPAA compliance, leading to violations, fines, and even cancellations of their licenses in extreme cases.
While HIPAA compliance is a continuous process, it is possible to simplify it and remove the administrative burden. HIPAAReady, a robust HIPAA compliance software, has been made just to do that. Conducting internal audits to identify and address vulnerabilities, scheduling, and managing training whenever required, keeping everyone on the same page by centralizing HIPAA information in a single location – all of these and much more is possible with HIPAAReady. Make HIPAA compliance easier and prepare for audits more effectively with HIPAAReady.