Looking for a HIPAA summary or HIPAA 101 guide? Start here.
When it comes to understanding HIPAA basics, the task can seem daunting. Reading the regulation means sorting through complex legalese, and relying on hearsay can lead to more misunderstandings than clarifications.
That’s why we’ve put together this HIPAA 101 The Basics guide. You’ll get everything you need to confidently understand the law, in easy-to-read guide to help you understand HIPAA compliance.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of national standards that health care organizations must have in place in order to safeguard the privacy and security of protected health information (PHI). PHI is any demographic individually identifiable information that can be used to identify a patient. Common examples of PHI include names, addresses, emails, telephone numbers, full facial photos,
Before we get started, let’s look at a few key definitions that relate to HIPAA basics.
There are two types of organizations outlined in HIPAA regulation, including:
- Covered Entities (CE): Health care providers, health insurance plans, and health care clearinghouses. CEs are involved in the direct creation of PHI and must be compliant with the full extent of HIPAA regulation.
- Business Associates (BA): Any organization hired by a CE (or other BA) who will necessarily encounter PHI over the course of the work they’ve been hired to perform. Common examples of BAs include IT providers, practice management firms, physical storage providers, cloud storage providers, email encryption, data back-up, and many others. BAs are not required to comply with the HIPAA Privacy Rule in its entirety, but must comply with the rest of the regulatory standards that apply.
Since it was first enacted in 1996, HIPAA has undergone many changes, revisions, and additions. Collectively, these have come to be known as the HIPAA Rules. The HIPAA Rules include:
- HIPAA Privacy Rule: The Privacy Rule sets national standards for the privacy, integrity, and availability of PHI. The Rule outlines safeguards that must be in place to ensure that PHI is kept private. The Rule also establishes guidelines for patients’ rights to access their medical records, in addition to uses, disclosures, and authorizations that CEs must have in place.
- HIPAA Security Rule: The Security Rule sets national standards for maintaining the security of PHI through a series of Technical, Physical, and Administrative safeguards that CEs and BAs must implement.
- HIPAA Breach Notification Rule: The Breach Notification Rule outlines the processes that HIPAA-beholden entities must follow in the event of a data breach. Depending on the number of individuals affected by a given breach, there are different timelines and notification standards that the Rule requires.
- HIPAA Omnibus Rule: The Omnibus Rule made several major changes to HIPAA regulation, specifically in regards to the role of BAs. Since the Rule first went into effect in 2013, BAs have been under regulatory obligation to become HIPAA compliant. Additionally, the Omnibus Rule set stricter rules for the execution of Business Associate Agreements, which will be discussed later in this piece.
Now that you have a sense for the foundations of HIPAA compliance, we’ll take a dive into what’s necessary for your practice to effectively comply with the law.
How to Become HIPAA Compliant
The first step in any effective compliance program is to execute a series of audits. These audits will give you a baseline of where your practice stands against HIPAA law.
There is no pre-defined list of audits that must be performed, however these audits should be executed across all elements of your business to measure your compliance with the HIPAA standards. Each HIPAA Rule is composed of many HIPAA standards, each with their own implementation specifications. In order to effectively audit your business, you must use these HIPAA standards as the basis for your audits. By auditing your business against the HIPAA standards, you’ll get a sense for where your gaps in compliance are, that way you can go about fixing them later on.
Once you’ve completed your audits and developed your gaps in your current HIPAA compliance, then you can begin to fix those gaps.
Remediation plans should be opened for each gap that your audits have uncovered. These must be fully documented in one central repository, with limited role-based access depending on parties involved in the remediation process. Each remediation plan must assign responsibility to someone on your staff to fix the gap, along with action items and a timeline for completion.
As your organization closes each gap, you must document the process until all gaps are closed.
Policies, Procedures, Employee Training
Policies and procedures are the cornerstone of an effective HIPAA compliance program.
HIPAA-beholden organizations are required to have policies and procedures in place that address each HIPAA standard. They’re meant to create uniform processes across all parts of your organization for handling PHI and all other HIPAA-mandated implementation specifications.
Even though the standards that each policy and procedure must address will be the same for every HIPAA-beholden entity, the actual language of the policies and procedures must be tailored to the needs of your organization. That’s why finding a solution like a policy binder is not considered an effective solution for HIPAA compliance. If the policies your organization implements do not apply to the scope of your business, they will not be able to protect you in the event of a HIPAA violation.
Once your organization has implemented HIPAA policies and procedures, you must ensure that all employees have been trained on their content. And in order to properly document that this training has occurred, your organization must have all employees sign an attestation saying that they have read and understood the content of each policy. These attestations should be in place in order to protect your organization from liability in the event that an employee causes a HIPAA violation in conflict with one of your policies.
Employee training must be executed annually. Any new employees who join your organization must be trained on policies and procedures as part of their onboarding process.
Another essential component of HIPAA compliance is understanding how to protect PHI that is being accessed by vendors. As discussed above, a BA is a vendor you hire whose job necessarily entails an encounter with PHI of any kind.
HIPAA mandates that before any PHI can be shared, your organization must execute a Business Associate Agreement (BAA) with this vendor. This applies to relationships between CEs and BAs, in addition to relationships between one BA and another (a BA of a BA is called a ‘subcontractor’ under HIPAA).
BAAs MUST be executed before any PHI can be shared. An effective BAA should state that:
- Organization 1 recognizes that they are beholden to HIPAA.
- BA of organization 1 recognizes that they are beholden to HIPAA.
- Liability in the event of a data breach belongs to the party responsible for the breach.
BAAs must be reviewed annually, and, if necessary, amended to account for changes in the nature of the relationship between the two entities.
Under HIPAA, CEs are mandated to perform due diligence on their BAs before executing BAAs. This entails an informal assessment of the BA’s current security/cyber-security infrastructure and their history of data breaches in order to ascertain whether or not this is a safe relationship to pursue. CEs are NOT mandated to assess or audit the status of their vendors’ HIPAA compliance.
Even with a totally effective HIPAA compliance program in place, data breaches can still occur. In that event, your organization should have processes in place to document, track, and report the breach if necessary.
As mentioned earlier, the HIPAA Breach Notification Rule sets specific standards for different types of data breaches discussed here:
- Minor Breaches: A data breach that affects fewer than 500 individuals in a single jurisdiction (i.e. – state, county, city, etc.). Individuals affected by a minor breach must be notified. All minor breaches that occur over the course of a calendar year must be reported to HHS no later than 60 days from the end of the calendar year in which they occurred.
- Meaningful Breaches: A data breach that affects more than 500 individuals in a single jurisdiction. Individuals affected by a meaningful breach must be notified. The breach must be reported to HHS within 60 days of the discovery of the breach. Additionally, depending on the scope of the breach, local law enforcement and news media may need to be notified as well.
In the event of a data breach, OCR may open an investigation into your practice. This is why having an effective HIPAA compliance program in place is so essential. Federal investigators will audit your organization’s compliance, and if you can demonstrate that you have a compliance program in place, you can show that you’ve performed your “good faith effort” toward HIPAA compliance.
The underpinning of your entire compliance program is documentation. At the end of the day, documentation is your most effective way of demonstrating your HIPAA compliance, both internally and to a federal investigator.
Every step of your HIPAA compliance program must be documented, and that documentation must be retained for six years. This documentation must be kept in a single, centralized repository so that it may be accessed by necessary personnel.
Want a Tool to Handle it All?
HIPAA regulation is designed to be handled internally by your organization. This HIPAA basics run-down can get you started. However, with day to day operational challenges keeping you busy, it’s understandable that you may need some help.
Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of HIPAA regulation.
Our ongoing support and web-based compliance app gives health care organizations the tools to address the law so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours achieve, illustrate, and maintain their HIPAA compliance!