How Do You Become HIPAA Compliant?

How to Become HIPAA Compliant

When working in the healthcare industry, the question of how to become HIPAA compliant often arises. However, the HIPAA regulation is written in a way that is confusing to most healthcare professionals, without clear guidelines on what exactly needs to be done to become HIPAA compliant.

Who Needs to Be HIPAA Compliant?

Under HIPAA regulation, there are two classes of healthcare organizations that must be HIPAA compliant. These are:

  • Covered Entities: Healthcare providers, health insurance plans, healthcare clearinghouses.
  • Business Associates: Organizations or vendors contracted by a covered entity which encounter PHI over the course of the work they’ve been paid to do. Common examples include: billing companies, practice management, shredding services, IT service providers, MSPs, email encryption services, and cloud or physical storage providers.

What Does it Take to Be HIPAA Compliant?

The Department of Health and Human Services (HHS) Office of the Inspector General (OIG) released essential guidance on how to create a HIPAA compliance program. The guidance is called the Seven Fundamental Elements of an Effective Compliance Program.

The Seven Elements are the basic requirements that all effective compliance programs must address in order to adhere to the HHS Office for Civil Rights’ (OCR) strict HIPAA enforcement tactics.

  1. Written Policies and Procedures
  2. Compliance Leadership and Oversight
  3. Training and Education
  4. Effective Lines of Communication with the Compliance Officer and Disclosure Program
  5. Enforcing Standards: Consequences and Incentives
  6. Risk Assessment, Auditing, and Monitoring
  7. Responding to Detected Offenses and Developing Corrective Action Initiatives

How to Become HIPAA Compliant with HIPAA Compliance Software

Developing an effective HIPAA compliance program that addresses each of the Seven Elements is manageable with a HIPAA compliance tool in place. It’s essential find HIPAA software that incorporates the full extent of the regulatory requirements to protect your organization from HIPAA breaches and fines.

So what does an effective HIPAA compliance program entail, and how to become HIPAA compliant?

Self Assessments

HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant. This is one opportunity to utilize HIPAA compliance audit software.

See How It Works

Corrective Actions

Once you’ve identified gaps through your self-audits, you must implement remediation plans to reverse compliance violations.

Policies, Procedures, Employee Training

To avoid compliance violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards.

These policies and procedures must be regularly updated to account for changes to your organization. Annual staff training on these Policies and Procedures is required.

Documentation

Your organization must document efforts you take to become HIPAA compliant, such as using a HIPAA security software. This documentation is critical during a HIPAA investigation with HHS if you want to pass your HIPAA audit.

Business Associate Management

You must document all vendors with whom you share PHI, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of your relationships with your vendors.

Incident Management

If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets a series of national standards for healthcare information used by covered entities and business associates.

Healthcare information regulated by HIPAA is called protected health information (PHI). PHI is any demographic information that can be used to identify a patient. PHI can include a patient’s name, address, Social Security Number, insurance ID number, medical record, full facial photograph, and others. For a full list of what’s considered PHI, click here.

HIPAA regulation is composed of several Rules and additional regulatory requirements that have been enacted since 1996. Here’s a HIPAA summary you can reference to understand some of the major rule changes that affect covered entities and business associated across the healthcare industry:

HIPAA Privacy Rule

The HIPAA Privacy Rule sets standards for the use and disclosure of PHI. The Privacy Rule only applies to covered entities, such as physicians.

HIPAA Security Rule

The HIPAA Security Rule sets standards for the integrity and security of PHI, including when it’s stored in an electronic format–called ePHI. The Security Rule applies to both covered entities and business associates, especially when data is in transit between two contracted organizations.

Omnibus Rule

The HIPAA Omnibus Rule made it mandatory for business associates to be HIPAA compliant, whereas only covered entities needed to be prior. The HIPAA Omnibus Rule also sets standards for Business Associate Agreements (BAAs), which must be executed between organizations sharing PHI before any information is transferred, handled, or maintained.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule sets standards for the process that covered entities and business associates must follow in the event of a breach. Minor Breaches (affecting fewer than 500 people) must be reported to HHS within 60 days of the end of the calendar year in which they occurred. Meaningful Breaches (affecting more than 500 people) must be reported to HHS within 60 days of the discovery of the breach. Additionally, patients affected by a Meaningful Breach must be notified. Depending on the scope of the breach, local law enforcement and news media must also be contacted.