Looking for a HIPAA summary or HIPAA 101 guide?
Start here.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of national standards that health care organizations must have in place in order to safeguard the privacy and security of protected health information (PHI). PHI is any demographic individually identifiable information that can be used to identify a patient. Common examples of PHI include names, addresses, emails, telephone numbers, full facial photos, dates of birth, and Social Security numbers.

Before we get started with the HIPAA law summary, let’s look at a few key definitions that relate to HIPAA basics.

There are two types of organizations outlined in HIPAA regulation, including:

• Covered Entities (CE): Health care providers, health insurance plans, and health care clearinghouses. CEs are involved in the direct creation of PHI and must be compliant with the full extent of HIPAA regulation.
• Business Associates (BA): Any organization hired by a CE (or other BA) who will necessarily encounter PHI over the course of the work they’ve been hired to perform. Common examples of BAs include IT providers, practice management firms, physical storage providers, cloud storage providers, email encryption, data back-up, and many others. BAs are not required to comply with the HIPAA Privacy Rule in its entirety, but must comply with the rest of the regulatory standards that apply.

Since it was first enacted in 1996, HIPAA has undergone many changes, revisions, and additions. Collectively, these have come to be known as the HIPAA Rules. The HIPAA Rules include:

• HIPAA Privacy Rule: The Privacy Rule sets national standards for the privacy, integrity, and availability of PHI. The Rule outlines safeguards that must be in place to ensure that PHI is kept private. The Rule also establishes guidelines for patients’ rights to access their medical records, in addition to uses, disclosures, and authorizations that CEs must have in place.
• HIPAA Security Rule: The HIPAA Security Rule safeguards set national standards for maintaining the security of PHI through a series of Technical, Physical, and Administrative safeguards that CEs and BAs must implement.
• HIPAA Breach Notification Rule: The Breach Notification Rule outlines the processes that HIPAA-beholden entities must follow in the event of a data breach. Depending on the number of individuals affected by a given breach, there are different timelines and notification standards that the Rule requires.
• HIPAA Omnibus Rule: The Omnibus Rule made several major changes to HIPAA regulation, specifically in regards to the role of BAs. Since the Rule first went into effect in 2013, BAs have been under regulatory obligation to become HIPAA compliant. Additionally, the Omnibus Rule set stricter rules for the execution of Business Associate Agreements, which will be discussed later in this piece.

Now that you have a sense for the foundations of HIPAA compliance, we’ll take a dive into what’s necessary for your practice to effectively comply with the law.

How to Become HIPAA Compliant

HIPAA Audits

The first step in any effective compliance program is to execute a series of audits. These audits will give you a baseline of where your practice stands against HIPAA law.

There is no pre-defined list of audits that must be performed, however these audits should be executed across all elements of your business to measure your compliance with the HIPAA standards. Each HIPAA Rule is composed of many HIPAA standards, each with their own implementation specifications. In order to effectively audit your business, you must use these HIPAA standards as the basis for your audits. By auditing your business against the HIPAA standards, you’ll get a sense for where your gaps in compliance are, that way you can go about fixing them later on.

Remediation Plans

Once you’ve completed your audits and developed your gaps in your current HIPAA compliance, then you can begin to fix those gaps.

Remediation plans should be opened for each gap that your audits have uncovered. These must be fully documented in one central repository, with limited role-based access depending on parties involved in the remediation process. Each remediation plan must assign responsibility to someone on your staff to fix the gap, along with action items and a timeline for completion.

As your organization closes each gap, you must document the process until all gaps are closed.

Policies, Procedures, Employee Training

Policies and procedures are the cornerstone of an effective HIPAA compliance program.

HIPAA-beholden organizations are required to have policies and procedures in place that address each HIPAA standard. They’re meant to create uniform processes across all parts of your organization for handling PHI and all other HIPAA-mandated implementation specifications.

Even though the standards that each policy and procedure must address will be the same for every HIPAA-beholden entity, the actual language of the policies and procedures must be tailored to the needs of your organization. That’s why finding a solution like a policy binder is not considered an effective solution for HIPAA compliance. If the policies your organization implements do not apply to the scope of your business, they will not be able to protect you in the event of a HIPAA violation.

Once your organization has implemented HIPAA policies and procedures, you must ensure that all employees have been trained on their content. And in order to properly document that this training has occurred, your organization must have all employees sign an attestation saying that they have read and understood the content of each policy. These attestations should be in place in order to protect your organization from liability in the event that an employee causes a HIPAA violation in conflict with one of your policies.

Employee training must be executed annually. Any new employees who join your organization must be trained on policies and procedures as part of their onboarding process.

BA/Vendor Management

Another essential component of HIPAA compliance is understanding how to protect PHI that is being accessed by vendors. As discussed above, a BA is a vendor you hire whose job necessarily entails an encounter with PHI of any kind.

HIPAA mandates that before any PHI can be shared, your organization must execute a Business Associate Agreement (BAA) with this vendor. This applies to relationships between CEs and BAs, in addition to relationships between one BA and another (a BA of a BA is called a ‘subcontractor’ under HIPAA).

BAAs MUST be executed before any PHI can be shared. An effective BAA should state that:

1. Organization 1 recognizes that they are beholden to HIPAA.
2. BA of organization 1 recognizes that they are beholden to HIPAA.
3. Liability in the event of a data breach belongs to the party responsible for the breach.