When it comes to understanding HIPAA, there are several common questions that are asked. Many providers and vendors working in the healthcare space are not fully aware of what exactly HIPAA entails. This is not at all surprising since the HIPAA regulations were drafted in a way in which it can apply to multiple types and sizes of healthcare businesses. That’s why we’ve put together this HIPAA FAQ.
Understanding your requirements under the law can mean all the difference should you be targeted by a HIPAA audit or hacking incident, both of which can lead to reputational damage. Keep reading to check out some of the top HIPAA FAQs we receive from our clients, and from across the healthcare industry.
What kind of information is protected by HIPAA?
The information protected under the HIPAA regulation is known as protected health information (PHI). PHI is defined as any demographic information that can be used to identify a patient, classified into 18 key identifiers. Some examples include a patient’s name, address, telephone number, email address, medical records, financial information, Social Security number, and full facial photo, to name a few.
There is also what is known as electronic protected health information (ePHI) which is any PHI that is stored, maintained, transmitted, or in any way handled in a digital or electronic format.
HIPAA regulation is primarily focused on maintaining the confidentiality, integrity, and availability of PHI and ePHI.
Who needs to be HIPAA compliant?
There are several types of entities that need to be HIPAA compliant. This includes any business that works with protected health information (PHI) in any capacity. HIPAA classifies these entities into two groups, covered entities and business associates.
A covered entity (CE) is any organization that uses or creates PHI over the course of healthcare payment, treatment, or operations. That includes healthcare providers, healthcare clearinghouses, and health insurance plans.
A business associate (BA) is any organization that is hired by a CE or another BA that may have contact with PHI over the course of the work they have been hired to perform. That includes many different organizations, but some common examples of BAs include medical billing and coding services, transcription services, managed service providers, answering services, shredding companies, physical and cloud storage providers, telehealth platforms, EHR platforms, secure messaging platforms, email service providers, practice management firms, attorneys, accountants, and many more.
Both covered entities and business associates must be HIPAA compliant to protect any PHI they encounter.
How do I become HIPAA compliant?
Becoming HIPAA compliant requires that your organization address all standards identified in the HIPAA rules.
However, a good HIPAA compliance program includes more than just policies and procedures addressing HIPAA standards. The following are some of the items that an effective compliance program will address.
- Internal audits to assess the status of your compliance compared against the regulation
- Remediation plans to fix any gaps in your compliance that your audits may have uncovered
- Policies and procedures to document how your organization will address the HIPAA standards
- Annual employee training and attestation
- Documentation of your compliance program retained for 6 years
- Appointing a compliance officer, a privacy officer, and security officer
- Vendor management and business associate agreements
- Incident management to track and report an incident, should a breach occur
What are HIPAA training requirements and how often does it need to be completed?
Under HIPAA, all employees must be trained annually. However, that training should be built into your onboarding process, rather than having one-off training sessions. This is to ensure that no employee is handling PHI without being properly trained on their HIPAA responsibilities first.
HIPAA training should cover:
- HIPAA 101 training
- Cybersecurity and awareness training
- HIPAA social media training
- Incident management training
- Training on all policies and procedures
- Fraud, Waste, and Abuse training (if your business bills Medicare)
What is a HIPAA risk assessment?
A HIPAA risk assessment is a requirement identified in the regulation, which allows your organization to identify potential areas of risk. These risks can manifest in physical, technical, or administrative safeguards that must be addressed to help mitigate security issues.
You can find out more about a HIPAA risk assessment template here.
Is there HIPAA compliance certification?
The Department of Health and Human Services (HHS) is responsible for creating HIPAA laws, while the Office for Civil Rights (OCR) is responsible for enforcing those laws. Neither governing agencies issue any formal certification for HIPAA compliance in any format. There is also no legitimate HIPAA compliance certification issued by third party organizations. Any claims to the contrary are misleading.
Are all HIPAA compliance solutions the same?
No. Many HIPAA compliance solutions on the market mislead consumers into believing that they address the full extent of the regulation. However, upon closer inspection, it becomes clear that many solutions only address pieces of the regulation. You may commonly see solutions that provide some combination of HIPAA training, HIPAA policies and procedures, or security risk assessments, which market themselves as total HIPAA solutions.
Healthcare professionals and vendors should educate themselves about their HIPAA requirements, and compare the actual regulation against the marketing of these various incomplete solutions.
Only a total HIPAA solution will properly protect your organization in the event of a HIPAA audit–or even help you avoid them altogether.
Is there such a thing as “overkill” when it comes to HIPAA compliance?
HIPAA regulation sets standards for enforcement and fines. Under HIPAA, fines are levied based on the level of “perceived negligence” uncovered by federal auditors. That means that the more your organization has done to properly address and implement an effective compliance program, the better off you’ll be in the long run.
Shortcuts and piecemeal solutions will not only put your patients’ and clients’ data at risk, but it could also mean the difference between thousands (or millions) of dollars in HIPAA fines and passing your audit.
Keep in mind that the regulation mandates you to perform a “good faith effort” toward HIPAA compliance. That means understanding your HIPAA requirements and doing everything that is “reasonably appropriate” to mitigate your risks and become HIPAA compliant. Any efforts you take toward your HIPAA compliance must be properly documented–along with a log of any changes made to your compliance, maintained for up to six years.
When it comes to protecting your business, your reputation, and the privacy of your sensitive healthcare data, there is no such thing as “overkill.”
Are there different HIPAA requirements for different healthcare specialties?
Healthcare specialties all have the same general HIPAA compliance requirements. Though there are certain stipulations within the law which single out disclosures of psychotherapy notes in particular, all other components of the law are common, regardless of medical specialty.
I already address my cybersecurity–does that make me HIPAA compliant?
No! Even though compliance and cybersecurity go hand-in-hand to protect your business, healthcare professionals have very different requirements when it comes to each.
Security is about mitigating the risk of a data breach–caused by a malware incident, ransomware incident, or simple employee error. Compliance, however, is about meeting the requirements laid out by HIPAA.
You need both to protect your business and have peace of mind.