If your business works directly or indirectly in the healthcare industry, you’re probably aware of HIPAA regulations and the fines that come with failing to maintain compliance.

As an example, in 2019, fines for HIPAA violations cost 11 organizations over 15 million dollars! This is less than the amount of fines dealt out in 2018, but $15,000,000 is no small sum to lose over an issue like this. 

Understanding all the rules and regulations around HIPAA compliance can be confusing, so we created this article to help clarify, if not simplify, some of the major pieces of this compliance puzzle. 

Before we go on, however, we want to make it clear that we’re not giving legal advice—Commprise is an MSP and not qualified to do that. Our goal is to get you up to speed with what HIPAA compliance is, help you understand it’s purpose, and better comprehend how it relates to your IT security.

What is HIPAA Compliance? 

what is hippa compliance

HIPAA stands for the Health Insurance Portability and Accountability Act, which was enacted in 1996. It’s a series of regulatory standards that business associates and covered entities use to keep their Protected Health Information (PHI) secure.

In addition to securing patients against data breaches, an important aspect of HIPAA as it relates to your IT includes how your organization allows patients to access their PHI and what methods you use to provide it to them securely.  

Different organizations have to abide by different standards based on their available resources to secure their protected health information, which often makes maintaining compliance a bit confusing.

Put simply, the purpose of HIPAA is to keep people’s healthcare information private. 

HIPAA Compliance is regulated by the Department of Health and Human Services (HHS) and is enforced by the Office for Civil Rights (OCR). 

While the HHS is responsible for regulating HIPAA compliance, the OCR is in charge of enforcing compliance. 

This year, the OCR announced an update to HIPAA compliance which stated that they “will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites, and will refrain from imposing sanctions and penalties on covered entities and business associates at these drive through, walk-up, and mobile sites.”

Other aspects of the HIPAA Rules which have shown to be unnecessarily strict towards covered entities will be removed to create an experience that reflects a more value-based healthcare. For more HIPAA updates, visit the HIPAA Journal.

What Qualifies as Protected Health Information (PHI)? 

Protected health information is a mixture of your identifying info (name, address, license, etc) and any health-related data that’s been collected by healthcare practitioners (like doctors) or healthcare facilities (like hospitals). 

PHI include: 

To give an example, if you know that you’re diagnosed with a particular illness, that information would fall under PHI. 

To understand what kind of information you need to remove in order to declassify PHI, refer to the Safe Harbor Rule

What are Covered Entities? 

This refers to entities within the healthcare field that have access to PHI and may use it for their work. Examples of covered entities: doctors, nurses, and insurance companies. 

This is important to understand because, if your business works with covered entities and you have PHI in your databases, your company will need to make sure it’s maintaining HIPAA compliance.

What are Business Associates?

The term “Business Associates” refers to people or vendors that work with a particular covered entity in a non-healthcare capacity. 

Even though they aren’t directly related to the healthcare field, they are equally responsible for maintaining compliance with HIPAA regulations. 

Examples of business associates: accountants, lawyers, IT personnel that work in the healthcare industry, administrators, start-ups that sell healthcare tech, etc. 

What are Business Associates Agreements (BAAs)?

BAAs are partnerships between HIPAA covered entities and other organizations, such as IT companies and other vendors, that are formed to ensure the security of their PHI data. 

The agreements must be in writing in the form of a written contract or some other official form of written agreement. 

What is the HITECH act? 

Signed into law in 2009, the HITECH act stands for Health Information Technology for Economic and Clinical Health Act.

This act was put together in order to incentivise more healthcare organizations to adopt health information technology, and more specifically to get them to start using electronic health records (EHR). 

Understanding the HIPAA Patient Privacy Rule

Patient privacy rule

The HIPAA Patient Privacy Rule lays out the details of how your organization should manage, use, and protect your PHI. In fact, these rules are the foundation of HIPAA regulations.

Your organization, or a covered entity that accesses your business’s PHI, can use these rules to explain how or when you’re allowed to use that sensitive data. 

The regulatory standard has to be properly documented in your business’s HIPAA policies and procedures, and for greater security, it’s best if you have all employees undergo annual training on these policies. 

In order to make your organization’s PHI available to other parties, the law requires you to sign a HIPAA PHI release form.

Information Protected by the Patient Privacy Rule

Understanding the HIPAA Security Rule

Hipaa security rule protects PHI

This rule defines the minimum standards necessary to meet in order for covered entities to handle, maintain, and transmit electronic PHI (ePHI). 

The rule says, “The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”

Below are key ideas expressed in that rule:

Understanding the HIPAA Enforcement Rule

Understanding the hipaa enforcement law

This rule clarifies what your company needs to do in the event of a HIPAA violation.

If a data breach occurs and PHI was involved, your organization must report it to the Office for Civil Rights (OCR). They will then investigate and review the violation to determine whether or not your company was negligent.

Your organization will need to provide an audit trail and have to figure out what caused the breach and deal with the relevant PHI data to make sure it’s safe. 

If the OCR determines that the actions your company takes to respond to the violation are insufficient, you’ll be subject to a fine, which we detail in a later section. 

Understanding the Omnibus Rule 

This rule is perhaps one of the most important changes to HIPAA regulations. The rule made a number of notable updates that clarified and broadened the definition of business associates, which thus expanded HIPAA to cover several other organizations and individuals. 

Civil penalties were also increased for HIPAA violations as a result of this rule, and the penalties themselves became tiered (as you’ll read about later on in this article). The Omnibus rule also prohibited companies from utilizing PHI for marketing purposes. 

Understanding HIPAA Breach Notifications

Security breach notification

HIPAA Breach Notifications is a rule that requires your organization to send a notification of a breach or improper access to your PHI or ePHI within 60 days. 

If over 500 PHI records are improperly accessed, the Department of Health and Human Services (HHS) must be notified and your organization will be required to do a press release regarding the breach. 

In your company’s report of the HIPAA violation, you must mention a few details, including: 

If the breach impacts less than 500 PHIs, your company can simply report the violations once per year, as mentioned in the Breach Notification Rules. 

What Counts as a HIPAA Violation? 

Hipaa violation

Most HIPAA violations occur as a result of negligence or only partial compliance with the HIPAA Privacy and Security Rules. 

If it’s clear that there’s been a data breach/theft of devices or documents that may give the thief access to PHI or ePHI, that counts as a HIPAA violation. 

However, if something like a laptop containing ePHI is stolen but the ePHI is encrypted, this would not count as a HIPAA violation as the data would still be secure. 

Common Causes of HIPAA Violations

There are several common causes of HIPAA violations, and all of them can be avoided if your organization follows the best practices for IT Security

What are the Different Fine Levels of HIPAA Compliance Violations?

There are four levels of fines for HIPAA compliance violations. 

How to Keep Your HIPAA Compliance Program Running Smoothly

Creating secure compliance program

When it comes to keeping your HIPAA compliance program running smoothly, there are 7 key rules your company should follow, which were established by the Office of the Inspector General (OIG) for the HHS. We list out the 7 rules below, you can find the full training guide here

  1. Implement written policies, procedures, and standards of conduct. If any personnel in your workforce are uncertain of how to maintain compliance, they should be able to reference documents whenever they need to. 
  2. Your company should designate a compliance officer and a compliance committee. Having multiple levels of accountability will help ensure that all relevant parties are doing their due diligence to maintain compliance. 
  3. Conduct training and education related to maintaining HIPAA compliance and general data security best practices. All sensitive data, not just PHI, should be safe and secure with your organization. 
  4. All personnel should be able to contact the authorized parties to address an issue or question related to HIPAA compliance. For this reason, it’s critical that your organization maintain clear and effective lines of communication. 
  5. Make sure that your company is conducting internal monitoring and auditing of your compliance security program. Cyberthreats become more sophisticated over time so it should be expected that what worked a year ago may not work today. Pay special attention to changes in data security.
  6. All employees should be aware of the consequences of violating HIPAA compliance, so it’s good practice for your organization to enforce your security policy standards via well-publicised disciplinary guidelines. 
  7. In the event of a data breach or a suspected data breach, make sure your company is able to promptly report and respond to the event to mitigate/prevent any further offenses. 

HIPAA Compliance Risk Assessment 

assessing compliance risk

By this point in the article, you’ve learned more about HIPAA compliance regulations, why they’re important, and what the risks are if compliance is violated. 

To help your company understand how to avoid violations altogether, we’re going to walk through how to perform proper HIPAA compliance risk assessments, as determined by the Office of Civil Rights (OCR). 

Determine the Scope of Analysis

When determining the risks to your organization’s PHI security, ask yourself, “Where does our company keep our PHI and ePHI? Are those locations and storage situations secure? Have we audited the security of these storage areas? 

Your company needs to clarify where your sensitive PHI data is and what you’re currently doing to protect it if you’re to understand where the cracks may be in your security. 

Clarify Your Means of Data Collection

How do you store your company’s PHI? On paper? In online documents? Is it easy to find and classify your PHI? The OCR will be thorough if they’re ever to investigate a HIPAA violation, so it’s best to know exactly where any PHI data is and to document how you collect it. 

Stress Test Your Security to Identify Vulnerabilities

It’s one thing to set up security measures to protect your PHI; it’s another thing to try to undermine your security to identify any potential vulnerabilities. Put yourself in a hacker or thief’s position and ask, “How can I break into these systems and steal this data? 

If you come up with a way to bypass your own security, you’ll know exactly what improvements to make. 

Make an Assessment of Current Security Measures

Similar to the last point, you’ll want your organization to conduct a thorough assessment of what security measures are currently in place. Once you know what you have, you’ll be able to identify how your company can improve, update, or swap out old security technologies. 

Determine the Likelihood of a Threat Occurrence

While it’s true that some businesses are more likely to get attacked than others, with the consistent increase in cyber attacks every year, it’s safe to say that your organization is at greater risk now more than ever. 

The likelihood of an attack is yet another reason to make sure that your organization is prepared to protect your sensitive data. 

Identify the Level of Risk

If someone were to try to steal from your organization, how likely is it that they would manage to acquire PHI? The attacker might not be directly looking for PHI, but if they steal a device that contains it or hack into a database that includes it, that would still count as a breach. 

If you have physical servers that contain PHI and they aren’t stored in a locked server room, the risk of theft is considerably higher than if the room were rocked and monitored. 

Document Relevant Information

Document as much as you can, from your process for sorting PHI to the steps you take to recover PHI in the event of a data breach. 

Review and Update Your Company’s Risk Assessment

Your organization’s risk profile should be updated at least every few months. 

What are the Standard HIPAA Transactions? 

Examples of hipaa transactions

There are standards for how any particular covered entity or business associate should exchange personal health information (PHI). The common types of transactions that you should be aware of are listed out below.

Maintaining HIPAA Compliance 

Maintaining hipaa compliance

As a modern company, data security should already be a priority that’s on your mind, but if you or any other relevant parties work with personal health information (PHI), it’s good to familiarize yourself with HIPAA regulations to avoid any compliance issues. 

This article should leave you more aware of what goes into maintaining compliance, and in the event that a breach occurs, you’ll be able to communicate what to do to the rest of your organization. 

In summary: 

Keeping Your Company’s Private Data Secure 

Private data security

If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by. 

Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age. 

If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.

An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in-between you and maintaining compliance.