Keeping up with all the niche compliance regulations is daunting and overwhelming, especially if even one small error could potentially lead to a critical financial or reputational loss. Unfortunately, when it comes to HIPAA compliance, it’s challenging to receive a clear “Yes” or “No” answer when trying to get past the very first step – whether or not you fall under mandatory HIPAA compliance in the first place.
At Scytale, we bring transparency to the murky world of compliance, because no one can afford the risk of being left in the dark. In this article, we’re going to explore HIPAA compliance and the world of Protected Health Information (PHI).
Understanding the core principles
Before being able to properly distinguish whether or not HIPAA compliance applies to you or your organization, it’s vital to understand what the Health Insurance Portability and Accountability Act (HIPAA) is and what it’s been set out to protect. However, none of it will click into place, unless you appreciate and acknowledge the core:
The Protected Health Information (PHI). This is the crux of the topic and if you have even an ounce of PHI that is filtering through your business, you’re going to want to read closely, because we’re talking to you.
Protected Health Information (PHI)
Personal Health Protection (PHI) is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment. Whether it’s medical histories, insurance information, test results, demographic data, or any other information that relates to an individual’s healthcare services or coverages – it’s PHI, and it’s sacred. PHI is at the forefront of HIPAA which has implemented the HIPAA privacy rule to protect and regulate any data that relates to:
- the health of an individual – past, present, and future
- All provision of healthcare to individuals
- The financing and payment for the provision of healthcare services
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, was established to provide a national standard for the security and privacy of electronic health information for organizations working in healthcare. The main function of HIPAA as stated earlier is to protect, regulate, and secure the handling of PHI by safeguarding its confidentiality, integrity, and availability. To accomplish this, HIPAA consists of three main rules: The Privacy Rule. The Security Rule. The Breach Notification Rule.
Out of the three rules, there is one that speaks to which organizations must follow the HIPAA standards – The HIPAA privacy rule. This is what we’ll look into a bit deeper to see if your organization fits the description.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was first put into effect by the US Department of Health and Human Services in 2003. Initially, it primarily focused on healthcare providers, health plans, and healthcare clearinghouses, known as ‘covered entities,’ but in 2013, the category ‘Business Associates’ joined the conversation. This Privacy Rule ensures the proper implementation of the HIPAA requirements and focuses on the safe, proper use and disclosure of the protected health information. To better understand who is subject to this rule, HIPAA categorized it into two main establishments: covered entities and business associates.
Of course, it’s worth mentioning that there are exceptions to the rule, but not quite yet, as these exemptions rarely mitigate compliance, which is what we’re actually concerned about.
So what exactly is HIPAA Compliance?
HIPAA compliance means that as an entity, you are aware of the HIPAA regulations and the rules that you’re subject to and have passed a HIPAA self-assessment or self-audit. If you’re HIPAA compliant, it also ensures that you are in accordance with all the standards for data protection required by HIPAA compliance and that you’ve implemented the necessary controls and policies to ensure you’re not in any violation of HIPAA standards.
Who needs to comply with HIPAA anyway?
The general rule of thumb is that if you work in healthcare in any capacity and store or process PHI, you need to be compliant. However, there is a large misconception that compliance is limited to official healthcare organizations. However, this is far from the case. Many organizations are being audited and fined because they were unaware of the role they play in HIPAA compliance and how the HIPAA privacy rule applies to them. In reality, as mentioned, two main categories fall under mandatory HIPAA compliance. 1. Covered Entities and 2. Business Associates.
Within these two overarching categories, HIPAA has included various businesses that need to adhere to the compliance requirements, all based on their contact with PHI. But not to worry, we’re getting into those too.
Covered Entities: Who they are and what they do
Covered entities are all individuals, businesses, or organizations that work directly with protected health information. Organizations and individuals who are defined as covered entities (CEs) fall into three main categories.
- Healthcare providers
- Healthcare plan provider
- Health care clearinghouses
Each one of these three types is defined by HIPAA and is referred to as covered entities (CE). If your business type is defined as a CE, it means that you are subject to the HIPAA privacy rule and must be HIPAA compliant to lawfully align with the rights of individuals on their private health information.
Seeing as each one of these ‘covered entities’ still cover such a broad spectrum, it’s crucial to elaborate on each different type of covered entity that falls under the strict regulations of the HIPAA privacy rule.
This covered entity includes any healthcare providers who deal with electronic personal health information. Regardless of the size of your practice or organization, if you transmit PHI electronically, you need to be HIPAA compliant. The data includes the sending and receiving of any claims, benefit eligibility inquiries, or referral authorization requests. In a digital world, exceptions are few and far in between, and compliance will only be regarded as ‘optional’ very scarcely.
All healthcare insurance companies are considered covered entities. However, this category is not limited to official health insurers or plan providers only. Many business owners and organizations often misinterpret this category and fail to comply with the HIPAA privacy rule. It’s important to make note of the fact that the following individuals or businesses are also considered covered entities within the healthcare plan provider category:
Co-Employers who offer health insurance to their employees. It should be noted that if a group health care plan covers less than 50 individuals and is maintained and administered solely by the employer, it’s exempt from the HIPAA privacy rule and compliance is not mandatory.
Employers who offer any medical reimbursement or an onsite clinic to their employees are covered entities.
Health maintenance organizations (HMOs) that provide health insurance coverage are covered entities.
Government programs that pay for healthcare are covered entities. This includes the sponsorship of military and veteran healthcare programs.
Church-sponsored health programs are covered entities
A Healthcare Clearinghouse
A healthcare clearinghouse acts as a middleman between healthcare providers and their insurance partners. These clearinghouses are the ones that analyze and check all electronic claims and associated medical records to ensure that there are no errors. They aid in the easy, effective, and correct processing and payment between the healthcare provider and their insurer. As this information is considered PHI and they possess said information they qualify as covered entities and are subject to the HIPAA privacy rule and therefore require mandatory HIPAA compliance.
Business Associates: why they need HIPAA compliance
The second category, and the one that is less frequently talked about, refers to the business associates (BAs) of covered entities. Business Associates are any person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Covered entities very rarely operate in silos and often require the assistance of business associates to carry out their daily functions.
That means that any individual or organization that therefore falls under a contractual business arrangement with a covered entity may be subject to the HIPAA privacy rule and therefore required to be HIPAA compliant. To specify, if a business or individual deals with any individually identifiable health information via their relationship with covered entities, they are considered business associates under HIPAA.
Many businesses or individuals do not consider themselves BAs because they do not work within the healthcare industry – but this is where the biggest catch lies. Business associates can be anything from consulting, financial, data aggregation, management, or legal entities. Some examples of business associates include:
- Consultants who provide hospital utilization reviews
- Third-party administrators that assist health plans
- Shredding companies that handle documents pertaining to PHI
- Billing companies who work with covered entities
- Lawyers who obtain CEs as their clients
Exceptions to HIPAA privacy rule
Being that all of the information is critical in ensuring high-quality healthcare, it’s important that the HIPAA privacy rule needs to provide a quintessential example of the balance between protecting PHI and the accurate flow of medical information between parties. In honor of keeping the balance, there are exceptions to the rule.
Health and safety
In certain circumstances, exceptions are made to share PHI without a patient’s authorization. These cases include scenarios where disclosing the information is pivotal for ensuring the health and safety of the patient or individual. Nevertheless, isolated exceptions to the rule are rare occurrences within covered entities and do not serve as a quick escape from HIPAA compliance.
Don’t throw caution to the wind just yet. If your healthcare organization or practice relies solely on paper records – not only are you stuck in the stone age, but you’re also not 100% exempt from regulation. Although you might submit hard copies to a billing company or third party, if they transmit those records electronically, HIPAA rulings apply to you as well.
It sounds harsh, we know. So what happens if you make an innocent mistake?
What if your business accidentally violates HIPAA rules?
We hate to break it to you, but there is very little to no grace period when it comes to HIPAA compliance and violations, even if it’s a first offense. Violations are dealt with harshly and without financial mercy. Examples of common HIPAA violations include lack of employee training, improper disposal of PHI, unauthorized access to PHI, and failure to conduct risk assessments.
The civil violations, which are reserved for businesses who were not aware that they were violating HIPAA rules, can receive a minimum of $100 fines per violation and a maximum of $25,000 for repeat violations. The maximum penalty can be $50,000 per violation with a yearly maximum of $1.5 million. This applies only to Tier one violations and is considered the smallest and least severe penalty.
Quickfire questions: An overview of HIPAA compliance
Feeling more comfortable with the ins and outs of HIPAA compliance? If you’re still a bit foggy on whether or not your specific business needs to start the journey towards HIPAA compliance, have a look at our list of quickfire compliance questions.
1. Does HIPAA compliance only apply to healthcare industries?
No. Both covered entities and business associates are required to comply with HIPAA regulations, as long as they work with PHI.
2. What are the penalties for HIPAA non-compliance?
Fines and penalties can vary and largely depend on the type of violation that occurs, as well as the intent behind the violation. Accidental violations are less severe than violations that occur due to malicious intent. If the violation occurs where the intent is to sell or use PHI or ePHI for personal gain, the maximum fine can be up to $250,000 or up to 10 years imprisonment.
3. Will SOC 2 help me become HIPAA compliant?
SOC 2 is a great baseline for ensuring that your organization has implemented the correct foundational security compliance. However, the HIPAA privacy rule will require you to add additional and particular safeguards, necessary for HIPAA specifically. If you’d like to see how SOC 2 can help you implement security controls, have a look at our article Do You Really Need a SOC 2 Report here.
Convenient compliance with Scytale
If you’ve been able to identify your organization or business as a covered entity or a business associate, it’s imperative that you start the process toward HIPAA compliance. At Scytale, we ensure that there is no gray area when it comes to compliance and that includes telling you which security framework is the best fit for your business. The best way to get your answer is to start asking questions, as well as hearing it straight from our customers.