What is HIPAA Compliance?
One of the most commonly asked questions we get is “What is HIPAA compliance?”
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.
Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.
What is Protected Health Information?
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.
PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI. ePHI is regulated by the HIPAA Security Rule, which was an addendum to HIPAA regulation enacted to account for changes in medical technology.
Who needs to be HIPAA compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
- Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
- Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
What are the HIPAA Rules?
HIPAA regulation is made up of a number of different HIPAA Rules. The HIPAA Rules were all passed in the 20+ years that have come and gone since HIPAA was first enacted in 1996.
The HIPAA Rules that you should be aware of include:
- HIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards outlined by the HIPAA Privacy Rule include: patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure forms and Notices of Privacy Practices, and more. The regulatory standards must be documented in the organization’s HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with documented attestation.
- HIPAA Security Rule: The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization. Specifics of the regulation must be documented in the organization’s HIPAA Policies and Procedures. Staff must be trained on these Policies and Procedures annually, with documented attestation.
- HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule differentiates between two kinds of breaches depending on the scope and size, called Minor Breaches and Meaningful Breaches. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach. The specifics of the HIPAA Breach Notification Rule are outlined in the sections below.
- HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared. The details regarding BAAs are outlined in more depth in the sections below.
What is required for HIPAA Compliance?
HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.
- Self-Audits – HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
- Remediation Plans – Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
- Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
- Documentation – HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
- Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
- Incident Management – If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule. Specific details about the HIPAA Breach Notification Rule and explored below.
What are the Seven Elements of an Effective Compliance Program?
The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program in order to give guidance for organizations to vet compliance solutions or create their own compliance programs.
These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to addressing the full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must have the capacity to handle each of the Seven Elements.
The Seven Elements of an Effective Compliance Program are as follows:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Over the course of a HIPAA investigation carried out by OCR in response to a HIPAA violation, federal HIPAA auditors will compare your organization’s compliance program against the Seven Elements in order to judge its effectiveness.
What is a HIPAA violation?
A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.
A HIPAA violation differs from a data breach. Not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.
Here’s an example of the distinction:
A DATA BREACH occurs when one of your employees has an unencrypted company laptop with access to medical records stolen.
A HIPAA VIOLATION occurs when the company whose laptop has been stolen doesn’t have a policy in place barring laptops being taken offsite or requiring they be encrypted.
Under HIPAA regulation, there are specific protocols that must be followed in the event of a data breach. The HIPAA Breach Notification Rule differentiates between two different kinds of data breaches and outlines how covered entities and business associates must respond in the event of a breach.
A Minor Breach is a data breach that affects fewer than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires HIPAA-beholden entities to gather data on all minor breaches that occur over the course of the year and report them to HHS OCR within 60 days of the end of the calendar year in which they occurred. Affected individuals must be notified that their data was involved in a Minor Breach within 60 days of the discovery of the breach.
A Meaningful Breach is a data breach that affects more than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires that Meaningful Breaches be reported to HHS OCR within 60 days of the discovery of the breach. Additionally, any affected individuals must be notified upon discovery of the breach. Local law enforcement agencies should also be contacted immediately, in addition to local media agencies in order to alert potentially affected individuals within the necessary jurisdiction.
All Meaningful Breaches that are reported to the HHS are posted on the Breach Notification Portal, or “Wall of Shame.” The HHS Wall of Shame is a permanent archive of all HIPAA violations caused by Meaningful Breaches that have occurred in the US since 2009. This searchable database is a concrete consequence of a HIPAA violation that can permanently damage the reputation of health care organizations that experience a HIPAA violation or Meaningful Breach.
In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The $475,000 fine against Presence Health was the first in the history of HIPAA enforcement levied for failure to properly follow the HIPAA Breach Notification Rule.
Federal HIPAA auditors levy HIPAA fines on a sliding scale. Fines range between $100-$50,000 per incident depending on the level of perceived negligence. If auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical. With well over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before.
What are common HIPAA violations?
Some common causes of HIPAA violations and fines are listed here:
- Stolen laptop
- Stolen phone
- Stolen USB device
- Malware incident
- Ransomware attack
- Business associate breach
- EHR breach
- Office break-in
- Sending PHI to the wrong patient/contact
- Discussing PHI outside of the office
- Social media posts
These HIPAA violations commonly fall into several categories:
- Use and disclosure
- Improper security safeguards
- The Minimum Necessary Rule
- Access controls
- Notice of Privacy Practices
A Use and Disclosure violation occurs when a covered entity or business associate improperly distributes PHI or ePHI to an incorrect party. One example would be if a physician’s office mailed PHI to a patient’s employer without attaining proper permission from the patient. This is exactly the situation that unfolded in May of 2017 when Mount Sinai-St. Luke’s Hospital in New York City was fined $387,000. An HIV clinic within the hospital system sent a patients’ HIV status and medical records to their employer without receiving proper authorization. OCR investigated the incident and found that the improper use and disclosure of PHI constituted a HIPAA settlement and related fine.
Improper HIPAA safeguards can result in a HIPAA violation when the standards of the HIPAA Security Rule are not properly followed. In order to maintain compliance with the HIPAA Security Rule, HIPAA-beholden entities must have proper Physical, Administrative, and Technical safeguards in place to keep PHI and ePHI secure. In recent years, ransomware attacks have ramped up against targeted health care organizations. Medical data is worth three times as much as financial data on the black market, meaning that health care organizations are increasingly vulnerable to cybersecurity attacks. HIPAA security safeguards can defend health care organizations against ransomware and prevent HIPAA violations.
The Minimum Necessary Rule is a component of the HIPAA Privacy Rule that is a common cause of HIPAA violations. The Minimum Necessary Rule states that employees of covered entities may only access, use, transmit, or otherwise handle the minimum amount of PHI necessary to complete a given task. If a large portion of a patient’s medical record is exposed to a data breach because the Minimum Necessary Rule was not followed, that can lead to a violation of the HIPAA Privacy Rule and resultant HIPAA fines.
Access controls are an aspect of HIPAA regulation that limit the number of staff members at an organization that have access to PHI. Access to PHI should be limited based on the roles and responsibilities of the employee in question. If access controls are too broad, then PHI is exposed to unnecessary risk. If a health care organization experiences a data breach due to improper HIPAA access controls, that can lead to some major fines for negligence.
Having a Notice of Privacy Practices is a mandatory standard of the HIPAA Privacy Rule. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment. HIPAA regulation mandates that covered entities must have their Notice of Privacy Practices posted in plain sight for patients to review, in addition to paper copies. Common HIPAA violations can result from a covered entity’s failure to properly disclose their Privacy Practices, or a breach thereof. Under the HIPAA Privacy Rule, patients have certain rights to the access, privacy, and integrity of their health care data and PHI.