The healthcare industry is moving away from paper to computers. As a result, increasing usage of electronic patient data jeopardizes data security. To tackle this threat, the government designed a set of rules to protect the privacy of personal health information - HIPAA.
What is HIPAA Compliance?
It stands for the Health Insurance Portability and Accountability Act (also known as Kennedy–Kassebaum Act).
The document was approved by the US Congress and signed by President Bill Clinton in 1996.
HIPPA rules revamp the medical information flow. With its help, the government can identify how to protect personal health information (PHI) stored in the healthcare and insurance entities from fraud.
HIPAA outlines the lawful use and PHI disclosure. The US Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR (Office for Civil Rights ) investigates tens of thousands of HIPAA cases every year.
What is PHI?
Protected health information is the content that HIPAA tries to protect and keep confidential.
Simply put, it can be any information about the person's state of health or the provision of medical care. PHI also includes names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, to name a few.
We build custom software for healthcare and non-healthcare companies who use PHI in their business.
What is a Covered Entity?
HIPAA considers any organization that collects, creates, or transmits PHI electronically to be a Covered Entity. They can be healthcare providers or health insurance providers, or even an individual - such as doctors and nurses. Since they use and have access to PHI, the aforementioned medical staff take responsibility for the data as well.
What is a Business Associate?
Individuals that work with a Сovered Еntity in a non-healthcare space are called a Business Associate. They are just as responsible for maintaining HIPAA compliance as Covered Entities. These can be lawyers, accountants, administrators, IT professionals, and other partners who have access to PHI.
HIPAA Privacy Rule
It states that Covered Entities and Business Associates must request the minimum necessary amount of PHI and protect it.
In a nutshell, this Rule prescribes how to use, manage, and protect PHI data during the medical care provision, payment, and operations. For example, to make a PHI available to a third party, the law requires a signed HIPAA PHI Release Form for the Doctor's office to share information with them.
The full content of these Rules can be found on the Department of Health & Human Services website.
HIPAA Transactions and Code Sets Rule
This Rule delineates the way to perform electronic data interchange (EDI) in financial or administrative activities.
It requires medical and insurance providers to use standard content, formats and coding to streamline the major health insurance processes.
HIPAA Security Rule
It specifically outlines national security criteria to protect health data created, received, maintained, or transmitted electronically. This Rule describes expectations for the safeguarding of patient data.
There are 3 parts to the HIPAA Security Rule. Let's go through the HIPAA compliance checklist to see them.
This policy outlines how the organization must comply with the HIPAA. It includes:
- Security Management Process. Covered Entity must identify, analyze, and mitigate risks and vulnerabilities for ePHI.
- Assigned Security Responsibility. Covered Entity should appoint a dedicated employee to design and implement a security policy.
- Workforce Security. Procedures should identify employees who have access to ePHI. Access should be granted only to those who need it to perform their duties.
- Security Awareness and Training. Covered Entity is required to teach employees all procedures. Besides, it explains penalties to those who violate these procedures.
- Evaluation. Covered Entities must systematically evaluate their staff and standards for compliance with HIPAA.
Physical safeguards make sure data is physically protected from unauthorized use. They cover security systems and video surveillance, door and window locks, and locations of servers and computers.
It contains the following items:
- Facility Access Controls. Check and record physical access to the computers that store and process ePHI is a must. For example, it can be a lock on the server room door.
- Workstation and Device Control. It presupposes physical safeguards for all machines that access ePHI as well as devices and media like USB drives.
Technical safeguards cover ePHI protection from breaches. They consist of:
- Access Control. Covered Entities can provide access only to the users eligible to access ePHI.
- Audit Control. ePHI records analysis should be conducted to find out how the breach occurred if needed.
- Integrity. Whether a doctor deletes a record accidentally, or a hacker intentionally, a Covered Entity must be able to restore that record.
- Transmission Security. When sending data to other business partners, a Covered Entity must be able to prove that only authorized individuals accessed the ePHI. It can be an encrypted email with a private key, HTTPS file transfer, or a VPN. HIPAA doesn't impose any rules on how exactly it should be set up.
HIPAA Enforcement Rule
It explains how companies need to handle HIPAA violations. And this is not just a reprimand. When OCR receives a complaint from a person or a company, they start an investigation. If it's a Covered Entity's fault, in the first place, they have to fix the breach cause. If OCR is not satisfied with the results, it can fine the violators based on the number of records involved.
What is a HIPAA Violation?
Businesses don't want their competence and credibility to be called into question. Moreover, the failure to comply with HIPAA regulations can result in essential fines. One of the latest examples is a Health Care Provider fined by OCR for $100,000.
Even if no breach of PHI occurs, violations can result in criminal charges and civil action lawsuits. At the same time, ignorance of the HIPAA compliance requirements doesn't justify sanctions for HIPAA violations.
In essence, HIPAA Violation is a safety breach of any PHI or ePHI. The most common causes of a HIPPA violation are:
- Theft of devices storing PHI
- Hacking/ malware/ ransomware
- Office break-in
- Sending PHI to the wrong person or business partner
- PHI public discussion
- Posting PHI to social media
For those violations, there are 4 levels of fines. It can be a "Did Not Know" breach with the penalties range from $100–$50,000. For a "Reasonable Cause" fines range from $1,000–$50,000 per episode. There are two scenarios for more outrageous violations. When the organizations take steps to correct their neglectful actions, the fine is $10,000 – $50,000 per incident. If not, it will cost the company $50,000 per episode.
There's even criminal prosecution for violating HIPAA. In addition to substantial fines, it can be 1 to up to 10 years of imprisonment.
HIPAA Compliance Checklist
Here is a HIPAA Compliance Checklist for a business to get you started:
- Conductdata evaluation. Perhaps, for this task, you will have to attract an external specialist. It’s important to have all shortcomings documented.
- Address identified risks. Prioritize the solution and begin to fix it. Use security technologies to bridge the gaps in compliance.
- Implement an automatic reporting system. It will allow the documentation of ongoing assessments and establish compliance with the HIPAA safety requirements.
- Regulate violations monitoring and notification. The Violation Notification Rule requires organizations and business partners covered by the HIPAA to provide warnings if they encounter an unprotected PHI violation.
- Check your daily activity. No matter how well prepared you are, a double-check for compliance with HIPAA is a must.
Any company that deals with protected health information must ensure that all security measures are in place. HIPAA compliance standards can be compelling. If you are not sure how to handle it all on your own, here at Zfort Group, we are aware of State requirements and can help to build a proper HIPAA-compliant solution with ourAI Development Company.