Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. The law established rules for the maintenance and security of Personal Health Information (PHI) and is enforced by the US Department of Health and Human Services (HHS). HIPAA regulations were designed to give organizations guidance on:

• Use and disclosure of PHI
• Access to PHI
• Storage of PHI
• Transmission of PHI
• Breach Notification

HIPAA applies to all organizations that come into contact with PHI data. Those organizations are classified as either covered entities or business associates. Covered Entities are organizations that provide healthcare services including doctors and hospitals, health plans, and healthcare clearinghouses. Business Associates are persons or entities that perform activities on behalf of a Covered Entity that involves the handling of protected health information.

HIPAA standards are built on these 3 rules:

HIPAA Privacy Rule

This rule dictates when and how PHI can be used and disclosed. The Privacy rule establishes patient rights to control how their health data is used. It also gives patients the ability to access their health records and request errors be fixed. Other key elements of the HIPAA Privacy Rule include:

• Authorization: Covered entities must obtain the individual's written authorization for any use or disclosure of protected health information.
• “Minimum Necessary”: A covered entity should use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use.
• Privacy Notices: Covered entities must provide a notice of their privacy practices.

HIPAA Security Rule

This rule sets standards to protect the integrity, confidentiality, and availability of all electronic Personal Health Information (ePHI). The HIPAA Security Rule is a collection of the following safeguards:

Administrative Safeguards

• Perform accurate and thorough assessments to identify risks and vulnerabilities to ePHI. Implement security measures to reduce those risks and vulnerabilities.
• Designate a security official responsible for developing and implementing the policies and procedures required by the Security Rule.
• Implement policies and procedures to ensure that staff who work with ePHI have appropriate authorization, supervision, and access.
• Implement policies and procedures to authorize access to ePHI only when such access is appropriate for the user or recipient's role.
• Train all workforce members on security policies and procedures.
• Implement policies and procedures to identify and respond to suspected or known security incidents and mitigate their impact.
• Establish and implement procedures for responding to events that damage information systems that contain ePHI.
• Perform a periodic technical and non-technical assessment of how well policies and procedures meet the requirements of the Security Rule.
• Include security requirements in contracts with vendors that create, receive, maintain, or transmit ePHI.

Physical Safeguards

• Implement policies and procedures to limit physical access to electronic information systems.
• Implement policies and procedures to specify proper use of, and physical safeguards for, workstations that can access ePHI.
• Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI.

Technical Safeguards

• Only allow authorized personnel access to electronic information systems that maintain ePHI.
• Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
• Ensure ePHI is not improperly altered or destroyed.
• Verify that a person seeking access to ePHI is who they say they are.
• Implement security measures to guard against unauthorized access to ePHI being transmitted over an electronic network.

Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the HHS Secretary, and potentially the media when a breach has occurred.

Notice to the Secretary

If an entity discovers a breach affecting more than 500 people, it must notify the HHS Secretary via a breach report form on the HHS website within sixty days of discovery. Breaches that impact less than 500 people can be reported to the Secretary on an annual basis.

Individual Notice

Covered entities must provide individuals impacted by a data breach with a written notice via first-class mail or notice via email if the individual has consented to receive notices electronically. If the entity has insufficient contact data for ten or more impacted individuals, it must publish the notice on the homepage of its website for at least ninety days. Entities can also use major print or broadcast media where the individuals likely live to deliver the notice. A toll-free phone number must be active for at least ninety days for individuals to call and learn if their information was involved in the breach.

Individual notifications must be provided within sixty days of the breach discovery. They must include a brief description of the breach, a description of the types of information involved, information about how individuals can protect themselves, a description of what the entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, and contact information.

Media Notice

If a breach impacts more than 500 residents of a state or jurisdiction the entity must notify prominent media service providers serving the area(s) within sixty days of discovery.

Achieving HIPAA Compliance

To be HIPAA compliant, your organization must implement policies and procedures and meet the standards of the privacy, security, and breach notification rules.

A good first step to HIPAA compliance is conducting a risk assessment to determine your existing risk exposure and how your current controls measure up for compliance. The data from the assessment can be used to build a HIPAA roadmap.

After the risk assessment, consider performing an audit comparing your current policies, processes, and practices to the HHS Office of Civil Rights Audit Protocol.

At this point, you will be able to confidently implement policies, procedures, and technologies that are compliant with HIPAA standards.

Once you’ve reached HIPAA compliance, it is important to ensure the program remains up-to-date and accurate. Always be aware of changes in the HIPAA rules, and account for any changes within your ecosystem that could impact compliance. HIPAA requires organizations to do continuous monitoring and periodic risk assessments to ensure compliance with the requirements. 

The Risk of Noncompliance

The penalties for a HIPAA violation can range from $137-$68,928 per incident, with a maximum penalty of $2,067,813 over a calendar year. The damage to your organization’s reputation caused by a data breach or HIPAA fine could impact revenue for years to come.

How we can Help

At CompliancePoint we have a team of experienced professionals from the healthcare and security industries that can help guide you through every step of the HIPAA compliance process. We can evaluate your security policies and procedures against HIPAA standards through a HIPAA assessment. We will identify any existing gaps and help you develop a plan for remediation. When your updated policies are implemented, CompliancePoint conducts a final audit review and issues a report of compliance. The report gives authorities, partners, and leadership proof of your organization’s compliance validated by a non-biased third party.