For many organizations, HIPAA compliance is the bedrock of all internal compliance processes. As HIPAA compliance is a federal law, very few establishments within the health sector have the vanity of choice when it comes to this compliance. However, the HIPAA Privacy rule broadens the scope of which organizations are subject to HIPAA compliance.
This means that even though businesses may not technically classify as part of the healthcare industry, they may just have to buckle in and start the journey of HIPAA compliance.
To ease you through the process and mitigate any potential ifs and buts, here’s absolutely everything you need to know about HIPAA compliance.
HIPAA stands for The Health Insurance Portability and Accountability Act (HIPAA) which The Department of Health and Human Services (HHS) governs and regulates.
HIPAA is a federal law with one core objective – safeguarding and regulating protected health information (PHI). HIPAA sets out a specific and mandatory framework to regulate how PHI is obtained, stored, protected, and shared.
Compliance determines an organization’s adherence to the above.
HIPAA compliance is an organization’s way of ensuring that they have implemented the needed standards and security measures to meet all HIPAA requirements.
Needless to say, it’s a daunting task and one that’s often filled with confusion regarding the rules and regulations for specific businesses.
So, how does the HHS know whether or not your organization is compliant? Firstly, the financial and legal risks involved in non-compliance are usually encouraging enough. However, to ensure that rules are being adhered to and to assist with any routine issues affecting health care, The Office for Civil Rights (OCR) enforces HIPAA regulations and violations.
No individual or organization can implement the correct safeguards without truly understanding what it needs to protect in the first place. When discussing HIPAA compliance, one key term is the true north of all processes, rules, violations, and dictations – Protected Health Information (PHI).
HIPAA was fundamentally established to protect and regulate the proper use of PHI. This includes all individually identifiable health information, whether past, present, or future. To narrow down the spectrum of PHI, the HHS categorizes it into two main branches; physical records and electronic (e-PHI). E-PHI includes all PHI that is created, stored, or transferred digitally.
It’s also crucial to note that PHI not only includes health information (diagnosis, treatment info, medical results) but also consider any individually identifiable information, such as demographic information, contact information, demographic information, or gender information, critical.
There certainly are. If the information in question doesn’t include any data that could potentially give away the identity of who the information pertains to, then it does not classify as PHI.
If organizations strip away all identifiers, it is not subject to the Privacy Rule. However, it’s crucial that organizations can prove this without any reasonable doubt to avoid accidental breaches of privacy or HIPAA violations.
To better understand compliance, it’s essential to look at which specific standards or rules organizations need to adhere to. HIPAA regulations are divided into several main rules: The Privacy, Security, Breach Notification, Omnibus, and Enforcement rule.
Each of these rules is extensive and deep-dive into smaller branches of HIPAA compliance. However, an overview of each rule is vital in understanding how HIPAA compliance affects your specific organization.
First and foremost, we need to look at the rule that dictates HIPAA compliance. The key takeaway from this rule is that all organizations subject to The Privacy Rule fall under obligatory HIPAA compliance.
Apart from determining who needs to be compliant, The Privacy Rule establishes a concrete standard that ensures organizations implement the requirements of HIPAA effectively.
There is a popular misconception about which organizations fall under the HIPAA privacy rule.
To clarify confusion, HIPAA is categorized into two leading establishments subject to the privacy rule and therefore required to become HIPAA compliant. These two establishments are covered entities and business associates.
Another critical objective that The Privacy Rule sets out to establish is the healthy and safe flow of information within health care systems to protect information and a patient’s health and well-being. To accomplish this, The rule strikes a balance between permitting the critical use and sharing of information while still protecting the privacy of said PHI. We explore this further under Privacy Rule Exceptions.
As we know, the Privacy Rule is set out to safeguard and regulate PHI. However, within the umbrella of protected health information, there’s a subset of information known as electronic protected health information (e-PHI). Naturally, the processes to protect physical PHI are vastly different from safeguarding digital data. Hence, the Security Rule.
The Security Rule is specifically designed to support organizations in implementing the correct security standards to meet the strict requirements of the Privacy Rule and to regulate the safe use of e-PHI.
So, what happens in the event of a data breach that contains PHI or e-PHI? That’s where the Breach Notification rule comes into effect. This rule ensures that both covered entities and business associates implement the correct procedures and security measures and standards they must follow in the event of a breach.
In general, a breach is anything that directly contrasts with The Privacy Rule. In the case of a breach of unsecured protected health information, The Breach Notification Rule requires both covered entities and business associates to notify all affected individuals, the Secretary, and in some cases, the media. In addition, if breaches occur at business associates, they are legally obliged to contact covered entities.
As dictated by The Privacy Rule in 2013, Business Associates (BA) are now subject to HIPAA compliance in addition to Covered Entities (CE). To ensure that HIPAA regulations apply to both BAs and CEs, the Omnibus addendum was established. This addendum outlines the specifications and restrictions surrounding any professional agreement between CEs and BAs.
This includes the correct contractual agreement between CEs and BAs, known as the Business Associate Agreement (BAA), which ensures that covered entities and any third parties (business associates) have the required agreement to maintain PHI security and overall HIPAA compliance. This reduces third-party risk and ensures all involved are updated on the compliance requirements.
The Enforcement Rule gives the HHS full authority to enforce both the Privacy and Security Rules. How? Through the OCR, who is rightfully responsible for investigating HIPAA complaints, conducting compliance audits, and levying fines. In the case of possible criminal violations, the OCR also works closely with the Department of Justice.
In a space with little to no grace period when it comes to ignorance, knowing whether or not your business needs to be HIPAA compliant isn’t as straightforward as it should be.
To ensure that you leave no room for error, here’s what you need to know about whether or not a business or organization is subject to mandatory HIPAA compliance. As previously mentioned, The Privacy Rule dictates which businesses need compliance and which don’t.
Establishments that are required by law to comply are:
However, these terms can feel generic and inapplicable without context. Due to this, many organizations are being audited and fined as they failed to comply or recognize the part they play in HIPAA compliance. Fortunately, HIPAA has defined in detail which establishments are categorized under CEs and BAs and how compliance applies to them. Before we get into further detail, here’s a brief overview of who needs to be HIPAA compliant.
All individuals, businesses or organizations that work directly with PHI.
Who classifies as CEs?
Any third party with a contractual agreement (BAA) with a covered entity and indirectly comes into contact with PHI.
Who classifies as BAs?
Consulting, financial, data aggregation, management, or legal entities. It’s important to note here that BAs vary and by no means have to fall within the healthcare industry for HIPAA compliance to apply to them.
As stipulated in The Privacy Rule, covered entities include healthcare providers, healthcare plan providers, and healthcare clearinghouses. To ensure correct compliance and to mitigate any risk of fines and violations, additional information on the role of each covered entity provides more clarity.
The Privacy rule states that all healthcare providers that deal with e-PHI, regardless of size, need to be HIPAA compliant. This includes:
The Privacy Rule establishes that all healthcare insurance companies classify as covered entities. It should also be noted that compliance isn’t limited to official health insurers and includes common businesses that frequently and mistakenly do not consider themselves to play a role in HIPAA compliance. These additional covered entities include:
In most cases, healthcare organizations make use of clearing houses to aid in the correct processing and payment between healthcare providers and their insurer. Clearinghouses act as the main correspondents and are responsible for analyzing and checking all electronic claims and associated medical records. The information that transfers through the clearinghouse is classified as e-PHI, and as they deal with it directly, clearinghouses are covered entities.
If your business or organization is classified as a CE and handles PHI, HIPAA compliance is mandatory. However, if it doesn’t, that doesn’t mean you’re off the hook, as you could classify as a Business Associate.
Business associates can be summed up as the idea that “it’s about who you know, not what you know.”
To clarify, BAs include all individuals and/or businesses that indirectly deal with individually identifiable health information as a result of their professional relationship with a covered entity.
This was confirmed in 2013 by the HHS in an attempt to mitigate any gray areas or potential risks when CEs require the assistance of third parties to carry out daily processes. It’s important to keep in mind that the severity of non-compliance and the fines associated with violations are shared equally among BAs and CEs. Therefore, BAs must understand their role in HIPAA compliance to avoid any potential violations.
Business Associates include but are not limited to:
Although some organizations do not have the luxury of choice when it comes to HIPAA compliance, that does not mean that it should be considered a chore or an obligatory unbeneficial box to tick off. Compliance can also be voluntary and holds many benefits for patients and organizations. Benefits of HIPAA compliance include:
Ultimately, although protected patient information is a greater moral obligation than it is a monetary incentive, the profitability of HIPAA compliance is undeniable. Client retention is largely based on trust and whether or not clients feel comfortable handing over sensitive information.
By ensuring HIPAA compliance, CEs and BAs can better retain clients and, in turn, increase profitability. It’s also worth noting that the financial fines and penalties associated with HIPAA violations are severe and can result in financial ruin if taken too lightly. Sustainable compliance mitigates that risk.
From June 2021 to July 2022, 692 large healthcare data breaches were reported to the HHS. These breaches collectively exposed the records of 42,431,699 individuals. These are merely the ones that were reported.
Reassurance and confidence are monumental when it comes to owning an industry-leading organization. That includes staying on top of all things compliance. Clients no longer respond to organizations and businesses with a vague understanding of compliance but no proof to back it up.
Additionally, playing compliance catch-up is time-consuming and slow but burns through resources at lightning speed. Through uncomplicated and easy automation compliance tools and partners, organizations can now spend that extra effort and time to be more proactive and intentional in other business objectives.
For covered entities specifically, patient trust is paramount in providing the best possible health care. By establishing an organizational culture that keeps patient privacy and safety culture at the forefront, CEs can safeguard PHI and improve the patient experience simultaneously.
Although HIPAA is primarily set-out to protect and regulate PHI, adherence to HIPAA laws also offers an organization a significant level of protection. It gives firm guidelines and support on how to best protect the patient, their information, the staff as well as the executives.
Unfortunately, mistakes happen, and HIPAA lawsuits or investigations are common. However, HIPAA compliance protects the organization and ensures that it has all the needed measures in place to protect PHI to the best of its ability. This can significantly reduce and completely prevent fines or penalties associated with a breach or violation.
Confirming whether or not your organization is HIPAA compliant through a self-assessment is key to HIPAA compliance.
Unlike certain other cybersecurity regulations, HIPAA does not require a formal certification. Instead, a HIPAA audit by the US Department of Health and Human Services (HHS) typically coincides with an investigation of non-compliance. HIPAA audits from HHS Office for Civil Rights (OCR) are typically triggered by a HIPAA violation that is reported by a staff member, a patient, or an internal whistleblower. HIPAA investigations will always be triggered by a reported violation or potential violation. HIPAA regulatory enforcement is managed and overseen by OCR. When OCR receives a complaint, your organization may receive a notice announcing the start of a HIPAA audit, and the protocols that OCR will pursue.
However, self-audits are a critical process to ensure HIPAA compliance and prevent HHS OCR from getting involved.
We’ve said it before, but it begs to repeat – an organization is either 100% compliant or not at all. Self-assessments are pivotal to ensure that an organization meets all the requirements of HIPAA compliance.
There are three major aspects to a HIPAA compliance self-assessment:
To ensure that CEs and BAs perform a thorough and diligent self-audit, HIPAA advises organizations to compile a HIPAA checklist to identify and mitigate any potential vulnerabilities and risks. As best practice, an internal audit should critically analyze all company policies, controls and best practices and whether or not they are meeting all HIPAA requirements.
Alternatively, you can replace the all-consuming process of chasing paperwork and protocols with HIPAA compliance automation.
Before going into the nitty-gritty of how businesses can become HIPAA compliant, one must understand that HIPAA compliance is a federal law. There is also no certification when an organization is HIPAA compliant and should be seen as a company culture that’s embedded into all internal and external processes. That being said, there are five steps that ensure compliance is met.
Continuously updated security and privacy policies are vital in establishing a compliance-conscious organizational culture. This means following a proactive approach and effectively communicating security and privacy best practices to the entire team. Within these privacy policies, covered entities are required to create a Notice of Privacy Practices (NPP).
This is a document that outlines the organization’s privacy and security policies and how PHI is handled. A NPP should also include each patient’s right to request copies of their personal medical records.
Skimming through compliance isn’t an option, and the HHS wants confirmation that all members of an organization completely understand all safeguards, policies, and privacy standards that are in place, as well as how to contextualize their training. To do so, organizations must perform yearly training orientations and confirm completion with proof in writing.
To ensure no gaps or potential risks, as well as that your organization is complying with HIPAA standards, HIPAA also requires all CEs and associates to conduct annual risk assessments.
The Security Rule requires specific administrative, technical, and physical controls that organizations need to implement to ensure compliance. Each safeguard has a subset list of controls.
A Business Associate Agreement (BAA) must be in-effect between any covered entities and their third parties.
A BAA must include specific information that the HHS requires to establish mutual understanding and acknowledgment of all current and updated compliance objectives and security standards set in place.
Although not all HIPAA violations may result in serious repercussions, failure to report the violations dramatically worsens the situation.
As previously mentioned in the Breach Notification rule, all CEs and BAs are mandated to report a breach or violation through a predetermined protocol.
HIPAA self-assessments are crucial and are what ultimately dictates whether or not your organization is HIPAA compliant or not. Therefore, the responsibility of compliance falls solely on the organization’s ability to perform a thorough self-assessment, independently or with the help of a 3rd party.
It’s important to note that there will only be an official audit carried out if there has been a breach or suspicion of breach. Self-assessments mitigate the risk of official audits occurring.
Alternatively, your organization can get rid of any confusion and lengthy processes surrounding HIPAA compliance and invest in partnering with compliance experts who guide you each step of the way. From self-assessment to staff training to industry-specific security standards –
Scytale has everything you need to become HIPAA compliant 90% faster.
The most dangerous idea when it comes to HIPAA compliance is that there is a gradient or scale to compliance. To set the record, organizations are either 100% compliant or not at all. There is no gray area.
HIPAA violations are very rarely isolated incidents and are more common than most organizations think. Some common situations that directly imposes The Privacy Rule and is considered a violation of HIPAA include:
Specific HIPAA regulations dictate the proper disposal of PHI. It’s the responsibility of the organization to ensure that all team members are updated on the proper protocol to reduce the risk of any accidental violations. To ensure compliance, many covered entities prefer to use third parties (business associates) to dispose of records to ensure compliance.
Any information disclosed for reasons other than specifically stipulated in The Privacy Rule counts as a direct HIPAA violation. This includes sharing any information with colleagues without the patient’s formal consent. Although it may seem like apparent misconduct, it’s still one of the most common violations that results in termination of employment or criminal charges.
If an organization fails to implement the required technical and physical safeguards and an unencrypted device is lost or stolen, it’s a HIPAA violation. The OCP will need evidence or confirmation that your organization implements a reasonable minimum safety standard. If not, it’s considered negligent by the covered entity or business associate.
Organizations frequently convince themselves that data breaches aren’t applicable to them. Besides, why would they be on the radar for cybersecurity threats?
Unfortunately, no organization is too insignificant to become a victim of database breaches. Annually, they cost the healthcare industry $6.2 billion, making technical standards a critical part of a company’s security and privacy policies.
In order to stay compliant, HIPAA requires mandatory organization-wide risk analysis. Failure to prove that these were performed prior to a violation or breach, confirms that there was no diligence in ensuring the proper risk mitigation needed to stay compliant.
To learn more about HIPAA violations and its penalties, take a look here.
As with most rules, there are exceptions, but they’re to be taken with a pinch of salt, as each exception is highly subjective to the specific use case.
Important to note that there needs to be a balance between protecting PHI and ensuring fast-paced, uninterrupted medical care. This means that there must remain a healthy flow of information without hindering day-to-day responsibilities but most importantly, not risking any PHI. Here is an example.
A health and safety exception
If CEs can prove that disclosing unauthorized PHI was critical for the health and safety of a patient, exceptions can be made. However, organizations must keep in mind that these are often rare and isolated incidents and still undergo rigorous investigation.
If you’re a CE or a BA and you’re doubtful whether or not you’re a part of the exception or the rule, here’s more on how to know if you need HIPAA compliance.
In case we left a few questions unanswered, here’s a quick look at things you may not have known about HIPAA compliance.
PHI stays protected by The Privacy Rule for 50 years after a person has passed away. This time frame is set in place to accommodate and protect the privacy of surviving family members while balancing the need of biographers who may require the information for historical purposes.
Although violations are taken seriously, there is still a clear distinction between what’s known as a ‘minor’ and a ‘major’ breach. Major breaches are when over 500 individuals are affected by the breach.
Previously known as the “wall of shame,” the OCR has a designated breach portal that publicizes all organizations that are under investigation as well as all current major breaches that have been reported and specific details pertaining to the breach. The OCR disclaims on the site that “As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.”
Did you know that organizations don’t have to settle for the constant anxiety and doubt that HIPAA compliance holds over them? Organizations can now fully rely on a HIPAA compliance tool that automates the process and assures constant compliance.
In conclusion, if your organization is a covered entity or a business associate, it’s safe to assume that the obligation of HIPAA compliance is required by law. But that doesn’t mean that your organization won’t reap the huge benefits from a secure and sustainable privacy culture surrounding PHI, as well as being able to demonstrate your HIPAA compliance to customers and prospects.
HIPAA compliance is not set on catching organizations out or setting traps in which businesses accidentally violate the rules of HIPAA. Instead, it’s focused on protecting both organizations and patients through a framework that fills all cracks and ties up any loose ends. Although it may seem daunting, you’re not in it alone. Beat the compliance learning curve by partnering with compliance partners that automate the compliance journey and ensure that there are no oversights or missed steps.
Partner up with Scytale for convenient HIPAA compliance that’s automated, simple and sustainable.
