The Health Insurance Portability and Accountability Act, commonly known as HIPAA, first came into law in 1996 and has been amended and updated a number of times since its introduction. Healthcare groups and other organizations in the healthcare space should prepare a checklist to ensure they are acting in compliance with HIPAA, which governs the handling and treatment of protected health information (PHI) in an effort to reduce healthcare fraud, provide insurance for people while they are between jobs, and keep sensitive health information private and secure.
PHI is the name used to refer to a number of different types of personally identifying information (PHI). It includes obvious elements like names of patients, email addresses, and record and account numbers – as well as less obvious identifying information such as IP addresses, dates relevant to the individual, device serial numbers, and recorded voice prints.
Below, we briefly explain who is concerned and some of the main elements to include in your HIPAA compliance checklist.
Who is Affected by HIPAA?
The definition of who exactly HIPAA applies to is somewhat vague to ensure that all relevant organizations are included and potential loopholes are avoided. There are two main groups affected by HIPAA: covered entities and their business associates. Covered entities are typically organizations that produce, treat, or share PHI, such as health plan providers, healthcare providers, and healthcare clearing houses. For the most part, employers are not considered covered entities, even if they maintain a certain amount of healthcare data on their employees.
Business associates are generally companies that provide administrative or other services to covered entities and, while they do not create or directly treat PHI, they may regularly come into contact with it as part of their service. Business associates must have a specific HIPAA compliant contract in place with the covered entity known as a Business Associate Agreement (BAA) before any PHI can be used with their service.
If you are unsure whether your organization should be covered by HIPAA, you should err on the side of caution and seek professional advice, as failure to comply with HIPAA Rules and associated legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act can result in sanctions including heavy financial penalties, criminal charges, and civil lawsuits. HIPAA Rules are enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR) and can also be applied by state Attorneys General.
What Does HIPAA Compliance Mean?
All aspects of HIPAA should be complied with. Some are required whereas others are addressable – meaning alternate methods of achieving the desired result are allowed. Certain cases may even permit exemptions to some addressable safeguards. Your checklist should cover compliance with some of the more substantial HIPAA Rules:
- The HIPAA Security Rule
- The HIPAA Privacy Rule
- The HIPAA Breach Notification Rule
- The HIPAA Omnibus Rule
The Security Rule lays out the requirements that must be in place to protect electronic PHI (ePHI) when is both at rest and in transit. Any system or person authorized to read, modify, write, share, or otherwise access PHI and personal identifying information is bound by the conditions of the HIPAA Security Rule. There are three different types of safeguards that apply; technical, physical and administrative.
The technical safeguards concern, among other aspects, access controls to networks and encryption of data so that it is unreadable and unchangeable if intercepted in transit. Activity logs should register access and changes made to records. Audits should be carried out frequently. Physical safeguards include registering people who have access to locations where PHI or ePHI is stored, work space designs to prevent onlookers or unauthorized individuals from inadvertently or deliberately viewing PHI, and policies concerning the security of mobile devices.
Administrative safeguards somewhat link the Security and Privacy Rules. Part of this is the appointment of Security and Privacy Officers for the organization. Another part deals with internal policies for employees working with PHI. Risk assessments, risk management, staff training, and the development and testing of contingency plans are important aspects of the administrative safeguards. Managing BAAs with suppliers and reporting security incidents are policies that should also be implemented.
The Privacy Rule was introduced in 2003. It sets required measures to protect privacy and personal health information, as well as conditions on why and how information can be disclosed without patient consent. The Privacy Rule allows patients to request copies of their PHI and provide corrections. Under the Rule, staff are required to be trained on when PHI can be shared outside of their organization, steps must be introduced to protect the integrity of the data, and patients must consent to certain uses of their information.
Should a breach of PHI occur, HIPAA’s Breach Notification Rule covers the steps that must be taken to notify patients, government bodies, and other relevant parties depending on the scale of the breach. Notifications must be issued to patients within 60 days of discovering the breach. The notifications should include the type of information exposed; whom it was disclosed to (if possible); if the data was viewed or acquired (if possible); and what action has been taken to reduce damage and future data exposures.
In order to clarify some of the older legislation, the HIPAA Omnibus Rule was introduced in 2013 to better define who was subject to HIPAA Rules, what procedures should be put in place, and how this could be achieved. It also combined HIPAA with certain elements of HITECH, and the Genetic Information Nondiscrimination Act (GINA), as well as introducing a clearer penalty structure for violations. If your organization has not updated privacy policies, BAAs, and training requirements since the introduction of the Omnibus Rule, these should be checked.
One Reason Why Checking Compliance is Important
While not necessarily something that requires being checked off, organizations should be aware of another Rule which deals with HIPAA violation penalties: the HIPAA Enforcement Rule. It sets fines per violation and per category, based on a scale of severity and perceived negligence. The maximum of $1.5 million per year, per violation category can quickly be attained if HIPAA compliance is not taken seriously. Organizations should also be aware that civil lawsuits may follow these government imposed fines. These could put offenders out of business, especially considering the fact that smaller private practices and pharmacies are among the most common subjects of enforcement actions.