The Health Insurance Portability and Accountability Act (HIPAA) was created to simplify the flow of healthcare information and ensure that all protected health information (PHI) is kept confidential and private. HIPAA created national standards to protect sensitive patient health information so it can only be collected, shared, stored, and used for legitimate purposes. Learn more about HIPAA guidelines below.
Who Is Required to Comply With HIPAA Guidelines?
HIPAA guidelines apply to any covered entities and business associates who work with or provide a service to a covered entity and have access to PHI including:
Healthcare plans (healthcare insurance companies, HMOs, company health plans, etc.)
What is PHI?
PHI is any health information that is about a diagnosis, insurance, treatment, or lab results. It must be protected by covered entities and business associates no matter how or where it is collected, transmitted, or stored. The general rule is that if it relates to an identifiable person’s health — it’s probably PHI. This includes:
Health plan ID addresses
HIPAA Privacy Rule
The HIPAA Privacy Rule became effective April 14, 2001. The goal of the HIPAA Privacy Rule is to protect the privacy and confidentiality of PHI by requiring safeguards to protect it and setting limits on the use and disclosure of PHI without the patient’s consent. The HIPAA Privacy Rule applies only to covered entities, because business associates do not work directly with PHI. This gives patients rights over their health information including examining and obtaining copies of their health records, amending PHI in their records, and a full accounting of any PHI disclosures made by a covered entity within the past six years. In addition, covered entities must adhere to a “minimum necessary rule” that states organizations should only access PHI if they need to perform their job functions.
HIPAA Security Rule
The HIPAA Security Rule became effective April 14, 2003. The HIPAA Security Rule focuses on security standards at a national level and protects individually protected health information created, received, maintained, or transmitted in electronic form. Unlike the Privacy Rule, the HIPAA Security Rule does apply to both covered entities, and business associates. Both covered entities and business associates are required to address the administrative, physical, and technical safeguards to secure electronic protected health information (ePHI). To comply with this rule:
Ensure the confidentiality, integrity, and availability of all electronic protected health information.
Detect and safeguard against anticipated threats to the security of ePHI.
Protect against anticipated impermissible uses or disclosures.
Certify compliance by their workforce.
HIPAA Breach Notification Rule
Organizations required to comply with HIPAA must notify the Department of Health and Human Services (HHS) in the event of a breach. In addition, organizations must be cognizant of state breach notification laws, as those are often more stringent than federal requirements. There are two categories of a breach that organizations should be aware of:
Meaningful breach affects 500 or more individuals. The breach must be reported within 60-days of discovery and organizations must notify the HHS, affected individuals, and the media.
Minor breach affects less than 500 individuals. A minor breach must be reported by the end of the calendar year, and organizations must notify the HHS and affected individuals.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule states that business associates must comply with the HIPAA standards. As part of the rule, organizations must secure business associate agreements (BAAs). BAAs are legal contracts that dictate responsibility of each party regarding HIPAA and which party is responsible for a breach notification. In addition, BAAs limit the liability for parties as it states that each entity is responsible for its own HIPAA compliance. In the event a business associate is unwilling to sign a BAA it is recommended that organizations choose another vendor. HIPAA covered entities are responsible if their business associate experiences a breach and if a BAA was never signed.
How To Comply With HIPAA Guidelines
HIPAA focuses on protecting PHI and ePHI specifically from unauthorized access and misuse requiring appropriate technical, administrative, and physical security mechanisms are implemented including assessments and evaluations as well as training and awareness. For associates handling PHI and ePHI, we recommend that they:
Conduct periodic assessments and evaluations of the environment to identify and remediate risks and vulnerabilities, including evaluations of third-party service provider risks.
Develop contingency plans with backups and emergent access.
Implement event recording and monitoring to detect anomalous or unauthorized activity.
Multi-factor authentication for remote access and privileged access management.
Follow best practices to protect PHI and ePHI including:
Properly store and securely dispose of PHI and ePHI.
Ensure appropriate asset protections mechanisms are implemented, including mobile devices and removable media, such as encryption, endpoint detection and response (EDR), etc.
Sending ePHI via a secure connection with end-to-end encryption.
Limit access to PHI and ePHI to the minimum necessary for the job function.
Consequences for Not Complying with HIPAA
Individuals or organizations who violate HIPAA intentionally or accidentally may have legal ramifications costing anywhere from $50k to $250k and could include 1-10 years in prison based on intent. Organizations found in violation can be fined up to $1.5 million.
Data breaches go into the Department of Health and Human Services Breach Portal which could cause harm to organizations reputation.
It’s best to stay compliant with HIPAA rules and regulations to avoid the consequences. Are you compliant? Double check that you have the essential elements of an effective HIPAA compliance program using this checklist: HIPAA Compliance Checklist.