What is HIPAA Compliance? The Ultimate Guide To Becoming HIPAA Compliant in 2022
As our society becomes increasingly reliant on technology, information about individuals is more readily available than ever before.
This has created a pressing need to protect the privacy of personal medical information.
The federal government has responded by creating specific rules governing how healthcare providers and insurers must handle private patient data - the Health Insurance Portability and Accountability Act (HIPAA for short).
In this guide, you'll learn everything you need to know about HIPAA and what is HPAA Compliance.
Let's dive in.
Note: If you are looking for the best way to become HIPAA compliant, try EasyLlama. Our video compliance training for HIPAA can get your entire company under regulations and avoid unnecessary penalties. Our bite-sized videos are easy to digest and distributable to every person in your company. Get in touch with a free trial today.
Understanding HIPAA
HIPAA is a set of specific rules that control how health care providers and insurers handle private patient data. It's all about guaranteeing patients' privacy when providers interact with sensitive patient data.
The law was passed way back in 1996, but it's been revised numerous times - most recently in 2013 via the Final Omnibus Rule. HIPAA rules are enforced by the Office for Civil Rights (OCR), which is part of the Department of Health and Human Services (HHS).
That said, most people are aware that medical records are private, but many are unaware of exactly why or how. For example, some people mistakenly think that HIPAA exists to prevent insurance companies from seeing patient records. That's not right - HIPAA rules protect individual privacy, but they don't prevent insurance companies from accessing medical information.
HIPAA rules basically boil down to these 3 concepts:
- Everyone has a right to privacy when it comes to their medical records
- No one can be denied coverage based on pre-existing conditions
- And all health information must remain private
Beyond these basics, HIPAA gives OCR the authority to enforce rules around: using and disclosing patient data; securing paper and electronic documents (e.g., shredding your sensitive paperwork); protecting patients' medical info when they leave or change jobs; and more.
What is HIPAA compliance?
Put simply, HIPAA compliance means being aware of the different rules governing PHI handling. Every covered entity and business associate must do everything they can to become HIPAA compliant.
The HIPAA compliance process starts with a risk analysis. A risk analysis helps determine where PHI is stored, who has access to it, how it's transmitted, and what could happen if it falls into the wrong hands. This information is used to create a security plan that outlines the specific technical, administrative, and physical safeguards needed to protect PHI.
Once the security plan is in place, covered entities and business associates must implement it - and then stay up-to-date on any changes to the plan.
That said, whether you're a clinical employee or work in the IT department, everyone needs to get up-to-speed on HIPAA compliance.
Read our HIPAA compliance checklist for employers here.
You need to safeguard PHI
Protected Health Information (PHI) is defined as any information that relates to the past, present, or future physical or mental health of an individual, and can be used to identify that individual.
This includes things like:
- Name
- Address
- Social security number
- Date of birth
- Medical history
- Insurance information, and more.
Under HIPAA guidelines, providers must give individuals their PHI within 30 days after request. They must also PHI when required by law, such as reporting suspected child abuse or complying with a subpoena.
Should you be HIPAA compliant?
HIPAA compliance affects most individuals and organizations involved in the healthcare industry. Any person or organization covered by the HIPAA rules must become HIPAA compliant.
If you're a healthcare provider, that means all of your employees need to know what they can and cannot do with PHI - whether patient-related or otherwise.
That said, there are two types of organizations that must comply with HIPAA regulations:
- Covered entities
- Business associates
Covered entities
Covered entities are healthcare providers, health plans, and healthcare clearinghouses.
This includes:
- Doctors
- Nurses
- Hospitals
- Clinics
- Pharmacies
- Dentists
- Optometrists
- Chiropractors
Covered entities must do everything they can to become HIPAA compliant.
Business associates
A business associate is an organization that personally handles, or gains access to, PHI in any way - whether for a covered entity or on its own behalf. In simple terms, business associates are basically third-party companies that a covered entity hires to do work for them.
Business associates include:
- IT consultants
- Lawyers
- Accountants
The Final Omnibus Rule expanded the definition of business associates to include subcontractors, but it's still generally small-time contractors and consultants.
Business associates must sign a Business Associate Agreement to protect the privacy of patient information. A business associate agreement is a contract that spells out the specific ways in which a business associate is allowed to use PHI.
The HIPAA rules you shouldn't ignore
The most important things you need to keep in mind are how the law defines Protected Health Information (PHI) and how it applies four specific rules:
- The Privacy Rule (for patient data)
- The Security Rule (to protect access to secure systems containing PHI)
- The Breach Notification Rule (in case PHI is breached)
- The Enforcement Rule (which deals with penalties if any of the above rules are broken)
Let's take a closer look at each one.
HIPAA Privacy Rule
The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The Privacy Rule requires covered entities to provide individuals with a Notice of Privacy Practices (NPP) that explains how their PHI will be used and disclosed.
The Privacy Rule also requires covered entities to obtain written authorization from individuals before using or disclosing their PHI for marketing purposes or selling their PHI to a third party.
The Privacy Rule also specifies the conditions under which covered entities may use or disclose PHI for research purposes and the minimum necessary standard that applies to PHI used for facility directories.
HIPAA Security Rule
The HIPAA Security Rule applies to electronically protected health information (ePHI). The Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic health records. The Security Rule also requires covered entities to conduct a risk assessment and develop a Risk Management Plan.
Under the HIPAA Security Rule, covered entities must encrypt all ePHI transmitted over an electronic communications network. They must also ensure that firewalls are in place and that anti-virus software is up-to-date.
Covered entities must assign a security official to oversee the implementation of the Security Rule and must provide training for all members of their workforce on how to protect ePHI.
Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify individuals, the Department of Health and Human Services (HHS), and, in some cases, the media of any breach of unsecured PHI. A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI.
Covered entities must notify individuals affected by a breach within 60 days of discovering the breach. They must also submit a report to HHS detailing the nature of the breach, the dates on which it occurred, and the steps taken to mitigate its effects. Covered entities are not required to report breaches involving less than 500 individuals unless they are determined to be part of a pattern or trend.
Covered entities that experience a breach must take steps to protect the privacy of the individuals affected by the breach. They must also implement policies and procedures to prevent future breaches.
The HIPAA Enforcement Rule
The HIPAA Enforcement Rule sets forth the procedures for HHS to investigate and enforce violations of the HIPAA Privacy, Security, and Breach Notification Rules.
HHS may investigate a violation if it receives a complaint or if it becomes aware of a potential violation. If HHS determines that a violation has occurred, it may issue a corrective action plan to the covered entity. If the covered entity fails to comply with the corrective action plan, HHS may initiate enforcement proceedings against the covered entity.
The HIPAA Omnibus Rule
In September 2009, HHS issued a final omnibus rule that changes the Privacy Rule and adds new provisions to the Security and Breach Notification Rules. The HIPAA Omnibus Rule clarifies how covered entities may share PHI with business associates for treatment, payment, or health care operations without obtaining authorization from the patient.
The technical safeguards required by the HIPAA Security Rule included strong encryption standards. In December 2013, HHS released guidance stating that all ePHI must be encrypted by January 2015. If an organization does not comply with these guidelines, it risks incurring significant financial penalties.
In February 2013, HHS introduced modifications to the Privacy Rule that allow patients to receive electronic copies of their health information such as test results and doctor's notes easily online without requiring authorization from providers. Covered entities must still provide paper copies upon request, but they have the option to send electronic copies if the patient agrees to receive them that way.
The Minimum Necessary Rule
The HIPAA Privacy Rule requires covered entities to take steps to ensure that only the minimum necessary PHI is used and disclosed for each purpose. The rule applies not only to disclosures made by covered entities but also to those made by their business associates.
Covered entities must develop and implement policies and procedures to ensure that PHI is only shared with those who have a legitimate need to know the information. In addition, they must train employees on the policies and procedures, monitor compliance with them, and periodically revise them as necessary.
Covered entities are required to document all uses and disclosures of PHI. They may rely on a limited data set or de-identify PHI if they want to disclose information with limited protections. They may also use or disclose PHI for health care operations without authorization.
The Technical, Physical, and Administrative safeguards you need to implement
HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards designed to ensure the privacy of PHI.
Technical Safeguards
Your organization must have technical safeguards in place to ensure the electronic protected health information (ePHI) is secured. These safeguards protect ePHI when it is being created, received, transmitted, and stored. They include:
Access Control
Healthcare organizations must have procedures in place that limit access to ePHI to authorized individuals. These procedures should include methods for authenticating users, such as passwords or biometric data, as well as restrictions on who can access ePHI, such as only allowing access from certain workstations.
Audit Controls
Organizations must have a way to track and monitor all activity that occurs with ePHI. This includes who accessed the information, when it was accessed, and what was done with the information.
Integrity Controls
This safeguard helps ensure that ePHI is accurate and complete. It is necessary to set up procedures for identifying and correcting inaccurate ePHI, as well as restricting unauthorized access to ePHI.
Availability Controls
This safeguard ensures that required ePHI information is readily available when needed. This includes frequent and timely backups of data, routine monitoring of systems and applications that contain ePHI, and disaster recovery plans.
Physical Safeguards
Your organization must protect the physical location where ePHI is stored. This includes ensuring that the facility is secure and that access is limited to authorized individuals.
Physical safeguards include:
Workstation Use
Organizations must implement procedures to control the use of workstations that access ePHI. This includes requiring screens to be locked upon logging out or leaving a workstation unattended, as well as establishing guidelines for when computers are permitted to leave the premises.
Workstation Security
This safeguard requires organizations to protect workstations from unauthorized access, theft, and destruction. This can be done by implementing physical security measures, such as locks and passwords, as well as installing software that will help protect the information on the workstation.
Device and Media Controls
When ePHI is not being accessed, it must be secured. Devices that store or contain ePHI, such as laptops and thumb drives, must be password protected and encrypted. If the device is to be taken off-site, special precautions must be taken to protect the information.
Transmission Security
This safeguard helps protect ePHI during transmission. This includes ensuring that all transmissions are encrypted and that only authorized individuals have access to the information. Transmission security can be ensured through the use of encryption technology and secure network connections.
Audit Trails
Organizations should have procedures in place to track and monitor all activity that occurs with ePHI.
Data Backups and Data Recovery Procedures
Organizations must regularly back up their data, which will help ensure that if data is damaged or destroyed, it can be restored. These backups must also be tested and monitored to ensure they are working properly and restore any damaged data as quickly as possible.
Organizations must also have procedures in place for recovering lost or damaged data. These procedures should include contact information for individuals who can help recover the data, as well as a plan for how to proceed if the data is not able to be recovered.
Administrative Safeguards
Administrative safeguards are the policies and procedures that an organization puts in place to help ensure HIPAA compliance. These include:
Security Management Processes
Organizations must establish, document, and maintain security policies to protect ePHI. This includes how the company will monitor compliance with these policies. It should also include how it will handle incidents related to ePHI.
Workforce Security Roles, Responsibilities, and Procedures
Your organization must have an organized workforce that is aware of the policies and procedures to protect ePHI. This includes having policies for suspending or terminating employees who do not follow these procedures or laws. Using compartmentalized access will also help limit risks to ePHI.
This will help create a culture where employees can feel comfortable speaking up about any issues they may have with ePHI or security policies.
Accounting of Disclosures
Individuals must keep track of all disclosures from their ePHI. This includes not only those done internally but also any third-party disclosures as well.
Compliance Monitoring Processes
This safeguard helps ensure organizations are following through with their security policies and procedures. This includes monitoring for compliance with the HIPAA rules as well as those set by other federal and state agencies.
Organizational Standards
Organizations should also make sure that it is maintaining an environment where employees can speak up about concerns regarding ePHI or any possible violation of laws and regulations.
Employee Training and Education
Your organization must provide training to all employees on their role in protecting ePHI. This should include how to identify potential security threats and how to respond if they occur.
Business Associate Contracts
As mentioned above, it is important to have a business associate agreement (BAA) in place with any external entity that will be creating, receiving, storing, or transmitting ePHI in order to ensure they will be appropriately meeting security and privacy requirements.
Incident Response Plan
An organization must have a plan for responding to any security incidents that may occur. The plan should include steps that must be followed when responding to an incident, how they will determine if the organization needs to notify the Secretary of Health and Human Services (HHS), and who needs to be notified (i.e. affected individuals).
Here's how to perform an effective HIPAA risk assessment
A HIPAA risk assessment is the first step needed to make sure your organization is meeting the requirements for compliance. It will help identify security risks by allowing you to take a look at the physical, procedural, administrative, and technical safeguards currently in place and how effective they are at protecting ePHI.
A comprehensive HIPAA risk assessment must include:
Assessment of Threat to PHI
This section of a HIPAA risk assessment should include a list of all vulnerabilities to PHI. It should also include any threats to those vulnerabilities and how often those threats could occur.
Assessment of PHI Accessibility
Security policies that limit access to ePHI, as well as the current physical locations where ePHI is stored, are considered in this section.
Assessment of Potential Impact
What would happen if a threat to ePHI occurred? This section looks at how much harm would happen as a result and if it would be reversible. In addition, you should also consider the risks that may occur as a result of an accident or natural disaster.
Risk Management
This section includes the steps that need to be taken to reduce or eliminate any identified risks. This may include implementing security measures, developing policies and procedures, and training employees on how to properly protect ePHI.
Documentation of the assessment
Once the assessment is complete, it must be documented in order to prove that your organization has completed the required assessment.
Periodic review of the assessment
Your HIPAA risk assessment must be reviewed at least annually in order to make sure your security policies are up-to-date with current threats and that employees are properly trained on how to address them.
The common HIPAA violations you need to be aware of
Basically, a HIPAA violation is any mishandling of PHI. This can be done intentionally or accidentally, and it can range from relatively minor (such as not filing a required form) to major (such as leaking PHI online).
A HIPAA violation is subject to penalties under the civil or criminal rules, but there are several common types of HIPAA violations.
The most common type is impermissible uses and disclosures - either intentional or accidental. For example, if a nurse emails PHI to the wrong person on accident, that would be an impermissible use. On the other hand, if someone accesses PHI without authorization, that would be an impermissible disclosure.
Other common types of HIPAA violations include:
- Failing to properly safeguard PHI
- Failing to provide timely breach notification
- Improperly collecting, using, or disclosing PHI
- Fraud and abuse
The fines and penalties you're likely to face when you violate HIPAA
HIPAA fines and penalties can be civil or criminal, and they vary depending on the severity of the HIPAA violation.
Civil penalties generally range from $100 to $50,000 per violation, but they can go much higher in cases of egregious neglect or malicious intent. Criminal penalties include jail time and fines of up to $1 million.
Generally, though, HIPAA structures its breaches within a four-tiered model:
- Level 1: The covered entity was unaware of the violation and could not have prevented it. To minimize the risk of a breach, the covered entity exercised reasonable care when handling patient information. The minimum penalty is $100 per breach and can be as high as $50,000.
- Level 2: It occurs if the covered entity knew of it but was unable to prevent it. Also, reasonable efforts could not have prevented it. The penalty for each violation may range from $1,000 to $50,000 based on the severity of the situation.
- Level 3: The violation was caused by the intentional disregard of HIPAA regulations. A covered entity is required to try to correct the situation. Per violation, a minimum fine of $10,000 and up to $50,000 may be imposed.
- Level 4: It's considered the most severe violation and represents deliberate neglect. In such a case, there has been no effort made to fix the problem by the covered entity. The minimum possible fine for each infraction is $50,000.
It's important to note that these fines and penalties are in addition to the cost of implementing HIPAA compliance measures. So, not only do covered entities and business associates have to worry about violating HIPAA -- but they also have to worry about the financial consequences of doing so.
In addition to the fines as outlined above, covered entities and business associates may be liable for damages. If a HIPAA violation results in financial or other damages, you can be sued by affected parties.
Stay on the right side of HIPAA and maintain compliance
Complying with HIPAA is not a simple task, but if your organization is serious about it, compliance is within reach. Overall, the best way to avoid HIPAA violations is proper risk analysis.
Before you can start on that front, though, make sure everyone at your organization has a thorough understanding of HIPAA requirements. That means providing regular training and reviewing policies to ensure they're up to date.
Employees need to be aware of their responsibilities when it comes to protecting PHI. Training them on HIPAA regulations will help ensure they know how to properly handle and protect any PHI they may come into contact with.
Other things you can do include:
Backup all patient records
Having regular backups of all patient records is essential for HIPAA compliance. If an incident occurs and data is lost, you will be able to restore the information quickly and minimize the potential for harm to patients.
Have an incident response plan
Having a well-documented incident response plan will help your organization comply with HIPAA regulations and reduce any fines or penalties for noncompliance that may occur as a result of not having an appropriate plan to act upon security incidents.
Create and enforce a confidentiality agreement
All employees and contractors should be required to sign a confidentiality agreement that stipulates they will not disclose any protected health information (PHI) except as necessary for their job duties.
Use only secure methods of communication
When sending or receiving PHI, make sure you're using a secure method of communication. This includes encrypted email, password-protected file sharing, and secure messaging platforms.
Form interdepartmental teams to address privacy issues
If you have multiple departments within your organization, create interdepartmental teams to specifically address privacy issues. This will help ensure that everyone is aware of their responsibilities and that no department falls through the cracks.
Get help
If you feel overwhelmed or unsure of how to comply with HIPAA regulations, consider hiring a professional security consultant who can assist your organization in assessing the current security posture and implementing the appropriate controls needed for compliance.
That said, by implementing the above measures, your organization can greatly reduce the risk of HIPAA violations and protect patient data.