What Is HIPAA Compliance?
Have you wondered how patient information protection works? Or why is HIPAA compliance such a big deal? For those who have, we have prepared a must-read HIPAA guide for 2021.
HIPAA is short for Health Insurance Portability and Accountability Act. The original Act saw the light of day on August 21, 1996. It provides standards for the safety and privacy of protected health information (PHI). The Office for Civil Rights (OCR) ensures that all the entities meet HIPAA standards. The Department of Health and Human Services (HHS) handles HIPAA compliance regulation.
What Is Protected Health Information (PHI)?
One of the most crucial things in HIPAA compliance is the notion of PHI. It refers to any demographic data that identifies a patient or client. Data such as financial information, phone numbers, names, and full facial photos fall into the PHI category.
Handling PHI is a part of any HIPAA-responsible organization. To guarantee the integrity, privacy, and security of PHI, every health care company must devolve along with HIPAA Rules.
Companies often store PHI in electronic format. ePHI is an acronym for electronic protected health information. It refers to any transmitted or stored PHI on electronic devices. You can find ePHI regulations in the Security Rule section of HIPAA.
Who Needs to Be HIPAA Compliant?
Two types of organizations fall under HIPAA Rules. The first one is a covered entity, and the second one is a business associate.
The former can be any provider of medical services. A person that has PHI can also represent a covered entity. Such a person or organization must comply with the Rules stated by HIPAA. They must have a risk assessment and compliance training for the staff. Having a book of evidence with Policies and Procedures is a must for any covered entity. Here are some of the examples of covered entities:
- mental health providers;
- call centers;
- healthcare workers;
- durable medical equipment providers;
- ambulance companies;
- social workers.
There are some exceptions. For instance, a hospital is a covered entity. However, their employees and healthcare providers are generally not covered entities. Employees who provide health plans or benefit programs are hybrid entities.
Business associates are companies that encounter PHI in any way throughout their work. They deal with protected data under the authority of a covered entity. There are plenty of companies and service providers that process or manage PHI. Here are some of the examples of business associates:
- IT providers;
- third-party administrators and consultants;
- cloud and physical storage providers;
- medical transcribers;
They all need PHI to perform their services. Every business associate signs an agreement with their cover entity. This agreement is mandatory for HIPAA compliance. It describes the permitted uses of PHI. The agreement also states what happens with the information in the end. Sometimes patients get their data returned, but in most cases, the data gets destroyed.
Business associates have the same responsibilities regarding HIPAA compliance as covered entities. Both parties sign the agreement to clarify this fact.
What Are the Main HIPAA Rules?
Since 1996, there have been several updates to the Act. With each update came small changes to the Rules. The most drastic changes occurred in 2009 with the HITECH Act, which promoted the use of electronic medical records. In 2020, with the advance of the COVID-19 outbreak, HIPAA Rules became more flexible. It happened thanks to the Notification of Enforcement Discretion by OCR. However, the main clauses in the Rules have remained immune to the changes.
The HIPAA Privacy Rule
The most important and the first HIPAA Rule is the Privacy Rule. It mandates data protection on anyone who stores, uses, or creates PHI. The Rule is affirming each person’s rights over their personal data.
The Privacy Rule outlines conditions and limitations regarding the use and disclosure of medical data with and without the authorization of its owner. Moreover, this rule provides patients with the right to access, get a copy, or make changes to their data.
It’s the OCR who investigates violations of the Privacy Rule. Since 2010, the OCR has settled over 150,000 cases.
The HIPAA Security Rule
The Security Rule is a document that describes ePHI protection standards.
The Security Rule implies that all compliant parties maintain three types of safeguarding mechanisms: administrative, technical, and physical. They are security precautions that preserve ePHI from unauthorized access.
Each organization determines the specifics of its data security regulation. It is an essential part of the company’s HIPAA Policies and Procedures. Besides, companies must conduct annual training on Policies and Procedures. This training will be liable only when documented with attestation reports.
The HIPAA Breach Notification Rule
OCR introduced the Rule in 2009 with the HITECH Act. All HIPAA-responsible organizations bear certain obligations under the Rule. The chief responsibility is to notify the affected persons, the HHS, and, in large cases, the media about the breach of PHI. The obligations also include:
- mitigating the consequences of the breach;
- carrying out breach investigation;
- disciplinary actions with any member of the workforce who violated HIPAA Rules.
A breach compromises the privacy or security of the information. It is the use, acquisition, disclosure, or access of PHI without following HIPAA Rules. Any unauthorized disclosure of PHI is a breach of HIPAA.
The HIPAA Omnibus Rule
In January 2013, HHS published the HIPAA Omnibus Rule. It provides individuals new rights to their health information. It strengthens the government’s ability to enforce privacy and security protections. The new Rule outlines who is a business associate. Here are some other things that the Omnibus Rule introduced:
- limits on information sharing for marketing and fundraising;
- a patient’s right to access the electronic version of their medical records;
- a patient’s ability to have information kept private from their health plan;
- prohibition on the sale of information without authorization.
The Omnibus Rule makes business associates liable under HIPAA. These organizations become accountable to consumers and HHS for safeguarding PHI. The Rule also states that any unauthorized sharing or use of PHI is a breach of the regulations. Reported data breaches increased in number thanks to the Rule.
What Is Required for HIPAA Compliance?
Each HIPAA-responsible company must keep up with the set standards. Here are the measures an organization must undertake to be compliant with HIPAA:
HIPAA-responsible organizations perform audits. They exist to check technical, physical, and administrative issues against HIPAA standards. A Security Risk Assessment is crucial for HIPAA compliance. There are also other essential measures like Privacy and Breach Notification Audits.
Once a HIPAA-compliant entity spots its issues, it must form remediation plans to re-establish the standards. Complete documentation of these plans is a must. Companies should also keep a calendar with dates of resolving their compliance issues.
Organizations must take notes of all the steps they take on their road to HIPAA compliance. This documentation will play a leading role during a HIPAA investigation with OCR and HHS. Documentation is also critical during HIPAA audits.
Policies, Procedures, Employee Training
As stated in HIPAA Rules, each company must have its Policies and Procedures in place. Correspondence with HIPAA standards is vital for these Policies and Procedures. Companies must update their HIPAA Policies and Procedures to account for the latest changes to the organization. Companies must conduct annual staff training on HIPAA regulations, along with employee attestations.
Business Associate Management
HIPAA-responsible organizations must document any collaboration with services providers that involve PHI. Companies must form and sign Business Associate Agreements to guarantee the safety of PHI. It’s vital to review agreements and note changes to the relationship with service providers. Like every other procedure, a company must do it once per year.
If a data breach occurs, HIPAA-responsible organizations must have a process to document it. The organization must inform people about the breach and leakage of their data.
What Are Common HIPAA Violations?
Health information or insurance information about a person is worth up to $250 apiece on the black market. That is why patients must perform risk assessment and make sure they provide sensitive information to a HIPAA-certified organization with a proven reputation. Health care workers, on their end, should assure their clients about the safety of their data.
A HIPAA violation is the failure to adhere to HIPAA standards. Violations usually occur due to a lack of proper protection of PHI. Security measures must be in place so that an unauthorized person won’t access PHI. You can learn more about them by viewing Privacy and Security Rules.
HHS Office for OCR and U.S. Department of Health handles the enforcement of the Privacy and Security Rules. It’s crucial to adhere to HIPAA Rules because your negligence may cause you up to $1.5 million in fines. There are two main types of HIPAA violations: civil violations and criminal violations.
|Civil violation||Unintentional||from $100 to $50,000 per one case (up to $25,000 per year)|
|Civil violation||Valid cause||from $1,000 to $50,000 per one case (up to $100,000 per year)|
|Civil violation||Deliberate disregard (corrected)||from $10,000 to $50,000 per one case (up to $250,000 per year)|
|Civil violation||Deliberate disregard (not corrected)||$50,000 per one case (up to $1.5 million per year)|
|Criminal violation||Intentional disclose or theft of PHI||up to one year in prison, as well as $50,000 fine|
|Criminal violation||Violations committed under false pretenses||up to five years in prison, with $100,000 fine|
|Criminal violation||Violations committed with the intent to transfer, use, or sell PHI for personal gain, or other advantages||up to ten years in prison, as well as $250,000 fine|
Here are some of the most common causes of violations:
- ransomware attack;
- office break-in;
- malware incident;
- business associate breach;
- sending PHI to the wrong contact/patient;
- social media posts;
- EHR breach;
- a stolen laptop, phone, USB device;
- discussing PHI outside the organization.
There can be situations when a covered entity does not want to resolve the issue. In that case, OCR is within its right to levy civil financial penalties on the organization.
Checklist to Avoid HIPAA Violations
To help you avoid any risky situation of possible HIPAA violation, we have prepared a checklist of rules for you:
- Get to know which obligatory annual assessments and audits apply to your company.
- Appoint a HIPAA Officer.
- Implement the required evaluations and audits, document deficiencies, and analyze the results.
- Ensure the designated HIPAA Officer carries out training for all members of the company about HIPAA.
- Document all HIPAA training and attestations.
- Put your plans into action, document the plans, update and review them once a year.
- Review all your agreements each year.
- Outline report and notify processes of HIPAA breaches for staff members.
Expert Security Tips for HIPAA Compliance
If you are looking to improve PHI security, here are a few tips from Raj Chaudhary, a HIPAA security and privacy expert at Crowe Horwath:
- strengthen security with logins to keep data from unauthorized access;
- check your login management at software, network, and other levels;
- lockout anyone who fails ten login attempts;
- ensure that login is working 24/7 and check login controls;
- keep an eye on your business partners who are dealing with any PHI.
Changes to HIPAA Compliance During the COVID-19 Pandemic
COVID-19 pandemic brought a few mitigations into the health care scene. Sanctions for non-compliance with particular clauses of HIPAA Rules will no longer be applied. For instance, one-on-one remote consultations via video conferencing software programs are legal now. OCR will not impose sanctions for PHI disclosure if the information is crucial to public health activities.
These mitigations opened up new possibilities for entrepreneurs worldwide. All it takes is to learn about HIPAA compliance basics and build your own mobile app. You can contact Diversido if you want to develop your app according to the ever-changing HIPAA regulations.
We specialize in different mobile apps, which include categories like:
- Health & Wellness (Bodies Done Right, Visual Gains)
- Education (Etutorcloud, Diversido LMS)
- Services (WizFix, Kiwi)
- Games (Legend of Tapatan, Cat Carnage)
- Entertainment (Insiders, Power Velocity)
The development of the best quality healthcare apps is our strong suit. Get on board to the future of mobile development together with Diversido!