If your business works directly or indirectly in the healthcare industry, you’re probably aware of HIPAA regulations and the fines that come with failing to maintain compliance.
As an example, in 2019, fines for HIPAA violations cost 11 organizations over 15 million dollars! This is less than the amount of fines dealt out in 2018, but $15,000,000 is no small sum to lose over an issue like this.
Understanding all the rules and regulations around HIPAA compliance can be confusing, so we created this article to help clarify, if not simplify, some of the major pieces of this compliance puzzle.
Before we go on, however, we want to make it clear that we’re not giving legal advice—Commprise is an MSP and not qualified to do that. Our goal is to get you up to speed with what HIPAA compliance is, help you understand it’s purpose, and better comprehend how it relates to your IT security.
What is HIPAA Compliance?
HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted in 1996. It’s a series of regulatory standards that business associates and covered entities use to keep their Protected Health Information (PHI) secure.
In addition to securing patients against data breaches, an important aspect of HIPAA as it relates to your IT includes how your organization allows patients to access their PHI and what methods you use to provide it to them securely.
Different organizations have to abide by different standards based on their available resources to secure their protected health information, which often makes maintaining compliance a bit confusing.
Put simply, the purpose of HIPAA is to keep people’s healthcare information private.
HIPAA Compliance is regulated by the Department of Health and Human Services (HHS) and is enforced by the Office for Civil Rights (OCR).
While the HHS is responsible for regulating HIPAA compliance, the OCR is in charge of enforcing compliance.
This year, the OCR announced an update to HIPAA compliance which stated that they “will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites, and will refrain from imposing sanctions and penalties on covered entities and business associates at these drive through, walk-up, and mobile sites.”
Other aspects of the HIPAA Rules which have shown to be unnecessarily strict towards covered entities will be removed to create an experience that reflects a more value-based healthcare. For more HIPAA updates, visit the HIPAA Journal.
What Qualifies as Protected Health Information (PHI)?
Protected health information is a mixture of your identifying info (name, address, license, etc) and any health-related data that’s been collected by healthcare practitioners (like doctors) or healthcare facilities (like hospitals).
- Conversations you’ve had with healthcare providers or practitioners.
- Healthcare billing information.
- Healthcare insurance information.
- Other personal healthcare related data.
To give an example, if you know that you’re diagnosed with a particular illness, that information would fall under PHI.
To understand what kind of information you need to remove in order to declassify PHI, refer to the Safe Harbor Rule.
What are Covered Entities?
This refers to entities within the healthcare field that have access to PHI and may use it for their work. Examples of covered entities: doctors, nurses, and insurance companies.
This is important to understand because, if your business works with covered entities and you have PHI in your databases, your company will need to make sure it’s maintaining HIPAA compliance.
What are Business Associates?
The term “Business Associates” refers to people or vendors that work with a particular covered entity in a non-healthcare capacity.
Even though they aren’t directly related to the healthcare field, they are equally responsible for maintaining compliance with HIPAA regulations.
Examples of business associates: accountants, lawyers, IT personnel that work in the healthcare industry, administrators, start-ups that sell healthcare tech, etc.
What are Business Associates Agreements (BAAs)?
BAAs are partnerships between HIPAA covered entities and other organizations, such as IT companies and other vendors, that are formed to ensure the security of their PHI data.
The agreements must be in writing in the form of a written contract or some other official form of written agreement.
What is the HITECH act?
Signed into law in 2009, the HITECH act stands for Health Information Technology for Economic and Clinical Health Act.
This act was put together in order to incentivise more healthcare organizations to adopt health information technology, and more specifically to get them to start using electronic health records (EHR).
Understanding the HIPAA Patient Privacy Rule
The HIPAA Patient Privacy Rule lays out the details of how your organization should manage, use, and protect your PHI. In fact, these rules are the foundation of HIPAA regulations.
Your organization, or a covered entity that accesses your business’s PHI, can use these rules to explain how or when you’re allowed to use that sensitive data.
The regulatory standard has to be properly documented in your business’s HIPAA policies and procedures, and for greater security, it’s best if you have all employees undergo annual training on these policies.
In order to make your organization’s PHI available to other parties, the law requires you to sign a HIPAA PHI release form.
Information Protected by the Patient Privacy Rule
- Medical records
- Social Security Numbers
- Finger and voice prints
- Contact information
- Location information
- Birth, death, and treatments dates
Understanding the HIPAA Security Rule
This rule defines the minimum standards necessary to meet in order for covered entities to handle, maintain, and transmit electronic PHI (ePHI).
The rule says, “The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”
Below are key ideas expressed in that rule:
- Security Management Process — States that covered entities have to create policies and procedures that effectively contain, correct, prevent, and detect security violations. Before implementing new policies, make sure you assess the overall risk of your current policies.
- Assigned Security Responsibility — States that someone in your organization has to be assigned as the designated security official. This person will be responsible for the development and implementation of your HIPAA Security Rules.
- Workforce Security — In order to maintain security in your workforce, your organization must determine which employees will require access to PHI or ePHI. Efforts should be made to regulate control over that access.
- Information Access Management — Emphasizes that, once your organization has determined which personnel will have access to your PHI and ePHI, access should be restricted from all other parties.
- Security Awareness and Training — Your company must train your workforce on the relevant rules and security policies related to HIPAA compliance regulations.
- Security Incident Procedures — Guides your company through the process of creating policies that address what to do in the event of a data breach. Your organization should report said breaches and any other security violations. Setting up alerts to spot these breaches can go a long way in this endeavor.
- Contingency Plan — If a breach or security violation occurs, your company should have a backup plan or disaster recovery plan to appropriate response to the event. Your MSP or IT team should be able to take care of this when it comes to ePHI.
- Evaluation — This emphasizes that your organization should regularly review and evaluate your HIPAA security policies and procedures to make sure they are effective and up-to-date.
- Business Associate Contracts — In order to prevent 3rd party contractors from leaking your PHI or ePHI, you should create business associate contracts and other relevant arrangements.
- Facility Access Controls — This falls into general best practices for IT security. Make sure that facilities that contain ePHI data, such as your server rooms, are locked. Limit which personnel have access to these facilities.
- Workstation Use — Any workstation and device that accesses ePHI should be properly managed and secured. For instance, only personnel who are authorized to handle ePHI should be allowed to use these workstations.
- Workstation Security — As the name implies, your company should make an effort to securely manage any devices that access ePHI.
- Device and Media Controls — Typical devices like your laptops and computers aren’t the only things that need to be secured. If ePHI is transferred via USBs or other forms of removable storage, they should be properly secured as well in a designated storage area.
- Access Control — Set up appropriate authentication measures for users that need to access ePHI.
- Audit Controls — Your organization needs to provide thorough audit trails of any data breaches that occur so that the OCR will be able to understand precisely how the breach occurred in the first place.
- Integrity — In order to maintain HIPAA compliance, your company will have to be able to prove that the PHI and ePHI that you manage is properly protected from internal and external threats, no matter how big or small.
- Person or Entity Authentication — This states simply that the people you allow to access PHI and ePHI are who they say they are, whether a patient or a user. This can be accomplished via biometrics, two-factor authentication, and other more sophisticated password security best practices.
- Transmission Security — When your company transfers PHI data to other business partners, you must be able to prove to the OCR that only authorized individuals had access to the sensitive data.
Understanding the HIPAA Enforcement Rule
This rule clarifies what your company needs to do in the event of a HIPAA violation.
If a data breach occurs and PHI was involved, your organization must report it to the Office for Civil Rights (OCR). They will then investigate and review the violation to determine whether or not your company was negligent.
Your organization will need to provide an audit trail and have to figure out what caused the breach and deal with the relevant PHI data to make sure it’s safe.
If the OCR determines that the actions your company takes to respond to the violation are insufficient, you’ll be subject to a fine, which we detail in a later section.
Understanding the Omnibus Rule
This rule is perhaps one of the most important changes to HIPAA regulations. The rule made a number of notable updates that clarified and broadened the definition of business associates, which thus expanded HIPAA to cover several other organizations and individuals.
Civil penalties were also increased for HIPAA violations as a result of this rule, and the penalties themselves became tiered (as you’ll read about later on in this article). The Omnibus rule also prohibited companies from utilizing PHI for marketing purposes.
Understanding HIPAA Breach Notifications
HIPAA Breach Notifications is a rule that requires your organization to send a notification of a breach or improper access to your PHI or ePHI within 60 days.
If over 500 PHI records are improperly accessed, the Department of Health and Human Services (HHS) must be notified and your organization will be required to do a press release regarding the breach.
In your company’s report of the HIPAA violation, you must mention a few details, including:
- Any information you have on the unauthorized person or persons who accessed your PHI data.
- A list of the PHI that was made available.
- A list of all mitigation steps your company has taken to respond to the breach.
- Confirmation that the unauthorized person or persons actually viewed the PHI.
If the breach impacts less than 500 PHIs, your company can simply report the violations once per year, as mentioned in the Breach Notification Rules.
What Counts as a HIPAA Violation?
Most HIPAA violations occur as a result of negligence or only partial compliance with the HIPAA Privacy and Security Rules.
If it’s clear that there’s been a data breach/theft of devices or documents that may give the thief access to PHI or ePHI, that counts as a HIPAA violation.
However, if something like a laptop containing ePHI is stolen but the ePHI is encrypted, this would not count as a HIPAA violation as the data would still be secure.
Common Causes of HIPAA Violations
There are several common causes of HIPAA violations, and all of them can be avoided if your organization follows the best practices for IT Security.
- If a thief manages to sneak into your facility and steal equipment, storage units, or devices that have PHI on file, this would cause a HIPAA violation. Keep in mind that data theft often occurs from inside your organization. in fact, according to Statistic Brain, 75% of employees have admitted to stealing from their employer at least once.
- Another common cause of HIPAA violations is when a hacker manages to get into your company databases which contain PHI. They may not specifically be after PHI, but the risk is still there. RiskBased reported that, “Data breaches exposed 4.1 billion records in the first half of 2019.”
- If you discuss PHI in public, whether it be in person or on online forums/social media, this could result in a HIPAA violation.
- Another common cause of HIPAA violations are when someone within your organization accidentally sends a PHI to the wrong person, so it’s best to set measures in place to make sure that all transferred data goes where it’s meant to.
What are the Different Fine Levels of HIPAA Compliance Violations?
There are four levels of fines for HIPAA compliance violations.
- Level 1: Did Not Know — This is where the covered entity was unaware of and couldn’t have realistically avoided the violation. At this level, a reasonable amount of care must have been taken to abide by the HIPAA regulations.
Minimum fine of $100 per violation up to $50,000.
- Level 2: Reasonable Cause — This is when the covered entity should have been aware of the violation, but could not have avoided it even if they acted with a reasonable amount of care.
Minimum fine of $1,000 per violation up to $100,000
- Level 3: Wilful Neglect — This is when the violation occurred as a direct result of wilful neglect, but an attempt was made to correct the violation.
Minimum fine of $10,000 per violation up to $250,000
- Level 4: Wilful Neglect + No Action — This is when the violation was a result of wilful neglect and there was no action taken place to correct the violation.
Minimum fine of $50,000 per violation and up to $1,500,000
How to Keep Your HIPAA Compliance Program Running Smoothly
When it comes to keeping your HIPAA compliance program running smoothly, there are 7 key rules your company should follow, which were established by the Office of the Inspector General (OIG) for the HHS. We list out the 7 rules below, you can find the full training guide here.
- Implement written policies, procedures, and standards of conduct. If any personnel in your workforce are uncertain of how to maintain compliance, they should be able to reference documents whenever they need to.
- Your company should designate a compliance officer and a compliance committee. Having multiple levels of accountability will help ensure that all relevant parties are doing their due diligence to maintain compliance.
- Conduct training and education related to maintaining HIPAA compliance and general data security best practices. All sensitive data, not just PHI, should be safe and secure with your organization.
- All personnel should be able to contact the authorized parties to address an issue or question related to HIPAA compliance. For this reason, it’s critical that your organization maintain clear and effective lines of communication.
- Make sure that your company is conducting internal monitoring and auditing of your compliance security program. Cyberthreats become more sophisticated over time so it should be expected that what worked a year ago may not work today. Pay special attention to changes in data security.
- All employees should be aware of the consequences of violating HIPAA compliance, so it’s good practice for your organization to enforce your security policy standards via well-publicised disciplinary guidelines.
- In the event of a data breach or a suspected data breach, make sure your company is able to promptly report and respond to the event to mitigate/prevent any further offenses.
HIPAA Compliance Risk Assessment
By this point in the article, you’ve learned more about HIPAA compliance regulations, why they’re important, and what the risks are if compliance is violated.
To help your company understand how to avoid violations altogether, we’re going to walk through how to perform proper HIPAA compliance risk assessments, as determined by the Office of Civil Rights (OCR).
Determine the Scope of Analysis
When determining the risks to your organization’s PHI security, ask yourself, “Where does our company keep our PHI and ePHI? Are those locations and storage situations secure? Have we audited the security of these storage areas?
Your company needs to clarify where your sensitive PHI data is and what you’re currently doing to protect it if you’re to understand where the cracks may be in your security.
Clarify Your Means of Data Collection
How do you store your company’s PHI? On paper? In online documents? Is it easy to find and classify your PHI? The OCR will be thorough if they’re ever to investigate a HIPAA violation, so it’s best to know exactly where any PHI data is and to document how you collect it.
Stress Test Your Security to Identify Vulnerabilities
It’s one thing to set up security measures to protect your PHI; it’s another thing to try to undermine your security to identify any potential vulnerabilities. Put yourself in a hacker or thief’s position and ask, “How can I break into these systems and steal this data?
If you come up with a way to bypass your own security, you’ll know exactly what improvements to make.
Make an Assessment of Current Security Measures
Similar to the last point, you’ll want your organization to conduct a thorough assessment of what security measures are currently in place. Once you know what you have, you’ll be able to identify how your company can improve, update, or swap out old security technologies.
Determine the Likelihood of a Threat Occurrence
While it’s true that some businesses are more likely to get attacked than others, with the consistent increase in cyber attacks every year, it’s safe to say that your organization is at greater risk now more than ever.
The likelihood of an attack is yet another reason to make sure that your organization is prepared to protect your sensitive data.
Identify the Level of Risk
If someone were to try to steal from your organization, how likely is it that they would manage to acquire PHI? The attacker might not be directly looking for PHI, but if they steal a device that contains it or hack into a database that includes it, that would still count as a breach.
If you have physical servers that contain PHI and they aren’t stored in a locked server room, the risk of theft is considerably higher than if the room were rocked and monitored.
Document Relevant Information
Document as much as you can, from your process for sorting PHI to the steps you take to recover PHI in the event of a data breach.
Review and Update Your Company’s Risk Assessment
Your organization’s risk profile should be updated at least every few months.
What are the Standard HIPAA Transactions?
There are standards for how any particular covered entity or business associate should exchange personal health information (PHI). The common types of transactions that you should be aware of are listed out below.
- Insurance claims and patient encounter information
- Health related payments and remittance advice
- Claims status
- Inquiries related to insurance eligibility
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payments
Maintaining HIPAA Compliance
As a modern company, data security should already be a priority that’s on your mind, but if you or any other relevant parties work with personal health information (PHI), it’s good to familiarize yourself with HIPAA regulations to avoid any compliance issues.
This article should leave you more aware of what goes into maintaining compliance, and in the event that a breach occurs, you’ll be able to communicate what to do to the rest of your organization.
- What is HIPAA Compliance? — HIPAA stands for the Health Insurance Portability and Accountability Act. It is a series of regulatory standards that business associates and covered entities use to keep PHI secure from prying eyes.
- What are Covered Entities? — Covered entities are entities that may access PHI for work purposes. They include doctors, nurses, and insurance companies, among others.
- What are Business Associates? — These are people or vendors that work with covered entities in a non-healthcare capacity, such as accountants, lawyers, IT personnel, administrators, etc.
- What is the HIPAA Patient Privacy Rule? — This rule lays out the details for how your company should manage, use, and protect PHI. They essentially are the foundation of HIPAA regulations.
- Key points from the HIPAA Security Rule — There are many key points expressed by the HIPAA security rule. For instance, your company should have a process for security management, assign security responsibility appropriately, maintain security within the workforce, determine which personnel have access to PHI, conduct training for security awareness, establish security incident procedures, have a contingency plan, and properly evaluate your HIPAA security policies.
- What is the HIPAA Enforcement Rule — This rule clarifies what your company needs to do in the event of a HIPAA violation.
- HIPAA Breach Notifications — this rule requires that your organization send a notification of breach of improper access of your PHI within 60 days.
- What are the Common Causes of HIPAA Violations? — Common causes of HIPAA violations include thefts or break-ins, hackings, discussing PHI in public, and accidentally transferring PHI to the wrong person within or outside your organization.
- Different Fine Levels of HIPAA Compliance Violations? — The first level is when you’re unaware of or couldn’t have avoided a violation, with a minimum fine of $100 per violation up to $50,000. The second level is when there’s reasonable cause that you were aware of the violation, but couldn’t have avoided it, with a minimum fine of $1,000 per violation up to $50,000. The third level occurs when your organization’s wilful neglect caused the violation but you did something to correct it, with a minimum fine of $10,000 per violation up to $50,000. The fourth and final level is when the violation occurs due to your company’s wilful neglect and no action is taken to correct it, with a minimum fine of $50,000 per violation.
- Keeping Your HIPAA Compliance Program Secure — There are seven key rules that your organization should follow to keep your compliance program secure, but for more information, you can view the official training guide here.
- HIPAA Compliance Risk Assessment — When assessing your HIPAA compliance risk, make sure your organization determines the scope of your analysis, clarifies your means of data collection, document any threats and vulnerabilities in security, assess your current security measures, determine the likelihood of a threat occurrence and the level of risk, document as much as you can, and review your risk assessment regularly.
- Standard HIPAA Transactions — Some standard transactions related to HIPAA include inquiries related to eligibility, enrollment and disenrollment, referrals and authorizations, coordination of benefits, premium payments, insurance claims and encounter info, health related payments, and more.
Keeping Your Company’s Private Data Secure
If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by.
Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age.
If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.
An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in-between you and maintaining compliance.