21ST SEP 2024
If you work in the medical space, you’ve probably heard the word “HIPAA” at some point. But what exactly is it?
For medical institutions, compliance with the Health Insurance Portability and Accountability Act (HIPAA) isn’t just a legal obligation - it's a vital safeguard for maintaining trust and upholding patient privacy. With cyberattacks on the rise and data breaches threatening sensitive medical records, adhering to HIPAA standards ensures that healthcare organizations protect both their patients and their reputations.
But what exactly does HIPAA compliance entail, and how can your institution ensure it’s fully compliant?
HIPAA, also known as The Health Insurance Portability and Accountability Act, is a set of rules that are set in place to regulate the use and disclosure of PHI.
Protected health information, or PHI includes information such as phone numbers, social security numbers, and house addresses. It is essentially any information that can be used to identify a patient or client.
HIPAA applies not only throughout a patient’s life, but also protects an individual’s PHI for up to 50 years after the patient’s death.
There are two types of organizations that need to be HIPAA-compliant:
Covered entities: These include health plans, health care clearing houses, as well as health care providers. A covered entity is any organization that electronically transmits, collects, and creates PHI.
Business associates: An organization that encounters PHI via a covered entity due to work purposes. There are many examples of business associates because of the large number of service providers such as billing companies, attorneys, and IT providers that handle PHI.
It is crucial to remember these rules if you are dealing with patient data:
The HIPAA Privacy Rule sets standards for patients’ rights to PHI. Some of the regulations outlined by the HIPAA Privacy Rule include patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure HIPAA release forms and Notices of Privacy Practices, and more. The regulations must be documented in the institution’s HIPAA policies and procedures, on which all employees are trained annually, with documented attestation.
The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. It outlines standards for the protection of ePHI. This includes physical, administrative, and technical barriers that must be upheld in all healthcare organizations. Details of the ruling must be documented in the organization’s HIPAA Policies and Procedures and staff must be trained on these Policies and Procedures annually, with documented attestation. This rule applies to both covered entities and business associates.
The HIPAA Breach Notification Rule is a set of standards to be followed in case of a data breach containing PHI or ePHI. Associations are required to report all breaches, regardless of size, but the specific protocols are dependent on the type of breach.
The HIPAA Omnibus Rule states that business associates must be HIPAA compliant, also enforcing the rules surrounding Business Associate Agreements. These agreements are contracts between a covered entity and business associate or between two business associates that are signed before any PHI or ePHI can be shared.
Self-Audits: In order to assess administrative, technical and physical gaps, HIPAA requires both covered entities and business associates to conduct annual audits of their organization.
Remediation Plans: Once gaps in compliance have been identified through the self-audits, business associates and covered entities must implement remediation plans to reverse these gaps. These plans must be fully documented.
Policies, Procedures, Employee Training: Next, policies corresponding to HIPAA regulatory standards must be developed. These policies and procedures must be regularly changed in order to be up to date with organizational changes. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
Documentation: All efforts by HIPAA-beholden organizations to become HIPAA compliant need to be documented.
Business Associate Management: both covered entities and business associates must keep record of every vendor they share PHI with, as well as execute Business Associate Agreements to ensure the information is handled safely and lower potential mishaps and liabilities. BAAs must be reviewed annually and be executed before any PHI can be shared.
Incident Management: In case of a data breach, covered entities and business associates must document the breach and notify patients that their data has been compromised.
GDPR (General Data Protection Regulation) shares many similarities with HIPAA in terms of their requirements such as data protection, granting individuals rights over their data and security measures that have been emphasized above.
A HIPAA violation consists of a breach in an organization’s compliance program.
Not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when it’s the result of an inefficient, outdated or incomplete HIPAA compliance program or a violation of an organization’s HIPAA policies.
For example, an employee losing medical data by falling for a phishing scam is a data breach. On the other hand, a HIPAA violation could be when a company that doesn’t have a policy stopping employees from taking company laptops offsite has their medical data stolen via procurement of a company laptop.
HIPAA violations commonly fall into several categories:
This kind of violation occurs when PHI or ePHI is wrongly distributed to another party. In May of 2017, Mount Sinai-St. Luke’s Hospital in New York City was fined $387,000. An HIV clinic within their system sent a patients’ HIV status and medical records to a third party - their employer, without receiving proper HIPAA authorization. The incident was investigated and it was found that there was improper use and disclosure of PHI, constituting a HIPAA violation.
These can constitute a HIPAA violation when the regulations of the HIPAA Security Rule are not followed. To maintain compliance with the HIPAA Security Rule, HIPAA-beholden entities must have proper safeguards (technical, physical and administrative) in place to keep PHI and ePHI secure. In recent years, ransomware artists have ramped up in their attacks against health care associations. Medical data is worth significantly more than financial data on the black market, causing health care organizations to become increasingly vulnerable to cybersecurity attacks. Proper security safeguards can protect health care organizations against ransomware and prevent HIPAA violations.
This rule states that employees of covered entities may only access or handle the minimum amount of PHI necessary to complete a given task. If the Minimum Necessary Rule is broken, thus causing a large portion of a patient’s medical record to be exposed, it can lead to HIPAA fines and constitutes a HIPAA violation.
These limit the number of staff members at an organization that have access to PHI. Access should be limited based on the responsibilities of the employees. If access controls are too open, then PHI is at a greater risk of being exposed, which in the case of a data breach could lead to major fines.
Before beginning treatment, covered entities must allow patients to review and agree to their Notice of Privacy Practices. HIPAA regulation urges covered entities to have their Notice of Privacy Practice posted in plain sight. Failure to disclose their Privacy Practices can lead to HIPAA violations or breaches of the notice.
Employee awareness can help you deal with HIPAA compliance by helping you understand how to safely handle PHI, as well as how to adhere to policies and recognize security risks. Habits are formed with regular practice, and that's why security awareness programs exist to help you accomplish just that.
To enjoy an interactive lesson on HIPAA compliance and other cybersecurity related topics, be sure to sign up for Cytadel, a cybersecurity awareness training game.
Happy learning!
Here's a handy little HIPAA compliance checklist summarizing everything:
