Many organizations struggle to find a clear path to HIPAA compliance. They are constantly led off course by trying to understand the complicated terminology, policies and requirements surrounding compliance. They frequently fall short due to misinterpreted jargon or changes in policies and ‘close enough’ is becoming good enough. Unfortunately, when it comes to HIPAA compliance organizations can no longer afford to stay out of the loop and they’re either 100% compliant, or not at all.
In this article, we’re focusing on HIPAA compliance and how your organization can stay ahead of the compliance curve and ensure easy and sustainable adherence to the strict standards of The Health Insurance Portability and Accountability Act.
HIPAA 101: All the basics and terminology you need to know
Before we can guide you through the intricacies of HIPAA compliance, we’d like to start with the basics, which as you’re probably aware by now, in the world of compliance isn’t always as straightforward as you’d like it to be. Here’s our quick look-book on key terms.
| The Department of Health and Human Services (HHS): HHS is responsible for issuing HIPAA regulations and guidance. They also update the regulations periodically to adapt to changes in technology and healthcare practices. | The Office for Civil Rights (OCR): The OCR, a division of HHS, enforces HIPAA regulations. They investigate complaints, conduct compliance reviews, and provide education and outreach to foster compliance. |
| HIPAA: HIPAA stands for The Health Insurance Portability and Accountability Act (HIPAA) and is the bedrock for both regulatory compliance and healthcare cybersecurity. It’s a federal law that regulates and safeguards protected health information through a set of standards. To simplify, HIPAA is the health information police and was set out to protect any and all personal information about a person’s health and how this information is stored, protected and shared. | Protected health information: Protected health information is what HIPAA was fundamentally created to protect. This includes any individually identifiable health information from the past, present or future. If the information refers to the healthcare data or payment of healthcare data -it’s PHI and it’s protected by HIPAA. |
| HIPAA Privacy Rule: The HIPAA Privacy Rule was implemented to establish a concrete standard for the protection of specific health information. The Privacy Rule contains strict guidelines to ensure that the requirements of the HIPAA are being met and implemented effectively. The Privacy Rule furthermore dictates which organizations need to be compliant and which do not. | HIPAA Security rule: Within the Privacy Rule, there is a subset of information known as e-PHI. This describes all electronic protected health information. The security rule was implemented to address the safeguards that organizations must have in place in order to effectively adhere to the privacy rule’s regulations around e-PHI. By following the HIPAA Security Rule, you’ll be able to implement the correct security protocols to comply with the Privacy Rule. |
| HIPAA Breach Notification Rule: This rule is a set of required standards that covered entities and business associates must follow in case of any data breach that contains PHI or e-PHI. | The HIPAA Omnibus Addendum: This ensures that specific HIPAA regulations apply to business associates as well as covered entities. It outlines the specifications, restrictions and rules surrounding agreements between CEs and BAs and ensures all parties are compliant. |
How to know if you need HIPAA Compliance
One of the first and most common misconceptions about HIPAA is that it only applies to healthcare professionals. In reality, any entity that handles PHI, including vendors or subcontractors who have access to PHI through a covered entity, is subject to HIPAA regulations.
There are two main categories that need to be compliant with HIPAA regulations that have been established by HIPAA’s Privacy rule, covered entities and business associates.
Covered entities include healthcare providers, healthcare plan providers and healthcare clearinghouses. Business associates refer to all organizations that work with covered entities and have direct or indirect exposure to PHI.
If you’re uncertain whether or not your business is subject to the HIPAA Privacy Rule, or if your business should be compliant or not, don’t take the risk of not knowing – read our blog here about How to Know if You Need HIPAA Compliance
What is HIPAA compliance?
In a broader sense, HIPAA compliance is your organization’s way of knowing that you’re in the clear when it comes to all the various rules and regulations that you’re subject to according to HIPAA. However, vague and ambiguous generalizations have caused the dark pit of complicated compliance we find ourselves in today, so what does it really mean to be HIPAA compliant?
It’s important to note that one cannot become ‘certified’ in HIPAA and there is no certification body. The reason for this is that HIPAA is a federal law. Sure, the OCR enforces this law and can heavily fine organizations who violate it but they do not hand out gold stars or certifications for those who are HIPAA compliant (that would be great.)
While there is no official HIPAA certification, organizations can undergo third-party assessments to evaluate their compliance with HIPAA regulations.
What the OCR is looking for is proof that:
- You’ve established an organizational culture and structure that protects the privacy, integrity and security of protected health information.
- You’ve integrated the technical and nontechnical security protocols required by The Security Rule to protect PHI and ePHI.
- You’re in adherence to the four major HIPAA rules.
The rules and regulations: A quick overview
The Privacy, Breach Notification, Omnibus and Security rules of the HIPAA are extensive and cover multiple smaller branches of HIPAA compliance and how it relates to specific organizations.
To ensure that you’re on the right track, the most basic and general rules are a good place to start. These rules include but are not limited to
- Ensuring confidentiality, integrity and availability of all e-PHI that enters or exits the organization
- The correct protocols in the event of a data breach
- The correct contractual set-up between covered entities and business associates
- Enforcing and ensuring compliance by the entire workforce
- Protection against any anticipated prohibited uses or disclosures
- Frequent risk assessments and internal protocol analysis
How to become HIPAA compliant?
As we’ve made clear, HIPAA compliance isn’t just a quick course or checklist you can complete and you’re good to go. Compliance is essential in every aspect of your business and should be an ongoing process. To ensure that you meet all the HIPAA requirements to become compliant, it’s essential that your business utilizes a combination of internal processes, technology and compliance support. There are a few core principles that your organization can implement to start the journey to compliance.
Develop and implement strong cybersecurity policies
To ensure HIPAA compliance, it’s important to take a holistic approach. This means implementing company-wide cybersecurity policies and procedures.
HIPAA training
We might sound like a broken record, but anything worth repeating is worth over-repeating. Your team is your first line of defense and should be trained and equipped to recognize and mitigate any threats or HIPAA violations. Ongoing training is essential as HIPAA regulations and cybersecurity threats evolve. Employees should be regularly updated on new policies and best practices.
Analyze violations
Violations are more common than organizations would like to admit. If there is cause for concern, be sure to have processes in place that can investigate, analyze and mitigate the root cause so it doesn’t happen again.
Annual risk assessments
All covered entities should conduct annual HIPAA risk assessments to ensure that there are no weak links or violation risks. The assessment ensures sustainable compliance and will help your organization take a proactive approach instead of doing damage control. Risk audits should include technical, administrative and physical security controls put in place to achieve compliance.
Now that you know what to do let’s focus on what you may be overlooking.
Common HIPAA compliance violations
HIPAA violations come in various forms and are more frequent than you think. Some common HIPAA violations include:
Sneak-peeks and snooping
Any access given to healthcare records for reasons other than stated in the Privacy Rule is a direct HIPAA violation. Any and all medical records may not be shared with people without authorized consent from the patient. It may seem obvious, but this is
one of the most common violations that occur within covered entities and these violations usually lead to termination of employment or a criminal charge.
Failure to perform risk assessments
Organization-wide risk analysis is one of the requirements for HIPAA compliance. Failure to do so implies negligence and leads to financial penalties.
A non-encrypted lost or stolen device
This violation often occurs due to a lack of physical and technical safeguards and includes theft and loss of unencrypted laptops, weak password encryption or not meeting the minimum necessary standard of safety.
Improper record disposal
When it comes to the disposal of PHI, there are specific HIPAA regulations that come into play. All team members must be properly educated on the proper disposal protocol to minimize the risk of HIPAA violations. Many covered entities use third parties such as shredding companies to properly dispose of their records, making these companies business associates and subject to HIPAA compliance as well.
Database breaches
Annually, they cost the healthcare industry $6.2 billion. No organization is invincible or off-radar when it comes to data breaches, and implementing the right security controls is vital and should be embedded into your company’s DNA and culture.
Why is HIPAA compliance a must for your company?
We could wax on about the various benefits of being HIPAA compliant, but at the end of the day, if you’re looking for a straightforward answer, here it is: It’s the law. If your organization is a covered entity or a business associate, you are required by law to become HIPAA compliant. If you decide to take a chance and leave it at the bottom of your priority list, you’re in for some hefty fines and possible criminal charges.
However, if the law isn’t motivating enough, other benefits include:
Develops patient safety culture
Safeguarding PHI is critical in ensuring trust of patients. By being critically aware of the importance of PHI, you’re creating an organizational culture that prioritizes patients’ health information.
Improve client trust and retention
One of the quickest ways to lose a client is by making them feel as if you cannot be trusted with their private health information. By staying HIPAA compliant, you’re proactively ensuring that any and all information is being protected by effective security policies and controls. With trust comes loyalty, and with loyalty comes greater client retention and referrals.
Gain a competitive advantage
Working with a compliant partner creates reassurance and confidence that your organization is on top of all things compliance. Clients appreciate organizations who know their story and are backed by intentional differentiators between them and their competitors who are playing compliance catch-up.
SOC 2 compliance is a great starting point to ensure you’re on the right track
At Scytale, we don’t believe that there’s a shortcut to compliance, it takes consistency, dedication and core change from within a company to become compliant and stay compliant. The good news? It can now be quick, effective, uncomplicated and easy. Take a look at what some of our customers have to say about getting compliant with the help of our automation tool.
