What is HIPAA Compliance?

HIPAA law was created to ensure that patient’s sensitive information is protected. Protected health information (PHI) must be secured in the form of administrative, physical, and technical safeguards. Although HIPAA regulations mandate safeguards, organizations must make the determination of what is appropriate for their organization. 

HIPAA Privacy Rule

The HIPAA Privacy Rule applies only to covered entities (CEs) as business associates (BAs) don’t work directly with PHI. The HIPAA Privacy Rule mandates that organizations must have policies and procedures in place to ensure that PHI is handled properly. The policies and procedures must be developed specifically for the organization to reflect current business practices. In addition, employees must be trained on HIPAA standards and the organization’s policies and procedures. Training must be documented with employee attestations to prove that all employees of an organization are trained annually. Employee attestations are a legal acknowledgement that the employee has read and understood all that they were trained on, and they will follow the policies and procedures. 

Covered entities must adhere to the “minimum necessary rule” which states that organizations should access only the PHI they need to perform their job functions. 

The HIPAA Privacy Rule also established patient rights in regards to their PHI:

• Notice of Privacy Practices (NPP): must be given to patients upon intake. It must be written in a clear manner that patients can easily understand. An NPP describes patient rights in terms of their PHI. An NPP also explains what a covered entity may or may not do with PHI.
• Request Access to Medical Records: patients have the right to request their medical records. Patients must fill out an authorization form to do so.
• Request an Amendment to Medical Records: the HIPAA Privacy Rule mandates that patients have the right to request an amendment of PHI when they believe there has been an error on their record. It is up to the discretion of the covered entity to determine if the record is accurate. 
• Request Special Privacy Protection for PHI: patients have the right to restrict the disclosure of PHI. However, CEs are not required to agree to the request. 
• Parents Access to Minor’s Medical Records: in most cases a parent or legal guardian can access a minor’s medical records. The HHS provides examples for situations in which parents cannot access a minor’s medical records.
• • The minor consents to care where parental consent is not required
  • A court decides that a minor must receive care
  • A parent agrees that the minor and covered entity have a confidential relationship

HIPAA Security Rule

The HIPAA Security Rule created industry standards for the handling, maintenance, and transmission of PHI. The HIPAA Security rule applies to both CEs and BAs, there must be administrative, physical, and technical safeguards implemented to secure PHI. Safeguards must ensure the confidentiality, integrity, and availability of PHI.

• Administrative: organizations must have written policies and procedures in regards to the handling of PHI that are updated regularly to reflect current business operations. Policies and procedures must be tailor-made for each organization. Employees must be trained on the policies and procedures to ensure that they are properly handling PHI.
• Physical: relate to the security of an organization’s physical site where they store or transmit PHI. Areas in which PHI is stored must be locked to prevent unauthorized individuals from accessing it. An alarm system is also recommended to secure an organization’s physical site.
• Technical: relate to the cybersecurity of an organization. It is imperative that organizations have adequate technical safeguards to prevent and mitigate the consequences of a breach. Technical safeguards may include encryption, firewalls, and data backup.

HIPAA Breach Notification Rule

Organizations that experience a breach, must report the incident to the Department of Health and Human Services (HHS) and affected individuals. Additionally, organizations must be cognizant of state breach notification laws, which are often stricter than the federal requirements.

• Meaningful Breach: affecting 500 or more individuals, a meaningful breach must be reported within 60 days of discovery. Organizations must notify the HHS, affected individuals, and the media.
• Minor Breach: affecting less than 500 individuals, a minor breach must be reported by the end of the calendar year. Organizations must notify the HHS and affected individuals.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule established that business associates must be HIPAA compliant. As part of the rule organizations must secure business associate agreements (BAAs).

• Business Associate Agreements 

Business associate agreements (BAAs) are required to be in place before any PHI can be transmitted. BAAs are legal contracts that dictate responsibilities of each party in regards to HIPAA, such as which party is responsible for breach notification. A BAA also limits the liability for parties as it states that each entity is responsible for their own HIPAA compliance. If a business associate is unwilling or unable to sign a BAA, then it is recommended that organizations choose another vendor. Without a signed BAA, covered entities are responsible if their business associate experiences a breach.

Become HIPAA Compliant

Now that we’ve covered everything you need to know about HIPAA compliance, it is important that you take the necessary steps to Achieve, Illustrate, and Maintain^TM HIPAA compliance. HIPAA compliance is a multifaceted issue that can be difficult to navigate on your own. When working on your HIPAA compliance it is best to consult an expert to ensure that you have done all that is necessary to prove your “good faith effort” towards compliance.

Do You Need Help With HIPAA Compliance?

Compliancy Group can help simplify your compliance allowing you to confidently focus on your business. Our cloud-based compliance software the Guard™ can be accessed from any device connected to the internet. In addition, the Guard stores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!