The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Security Rule defines standards to protect the electronic personal health information (PHI) of individuals. All identifiable health information such as lab results, medical bills, health records and histories, and so forth, are examples of PHI if a covered entity is in the picture.
The covered entity may be a healthcare provider, a healthcare clearinghouse, or a health plan. Any of these may create, receive, maintain, or use such health information.
While the rule has been law since 1996, companies need to develop a more robust IT and compliance strategy. There’s been an initiative since 2017 to investigate HIPAA breaches, which affect 500 people or less, more thoroughly.
Small breaches are common at organizations of all sizes, a point that many still fail to realize. But, should your business be HIPAA compliant?
Does Your Business Need to Be HIPAA Compliant?
When companies handle PHI or collaborate with those in healthcare, they need HIPAA compliance. A business should also show that they have adequate protections for PHI, enabling it to handle client data safely and securely.
However, HIPAA requirements mostly refer to covered entities. Covered entities include all sorts of healthcare organizations and individuals.
#1 Healthcare Providers
Healthcare providers include doctors, pharmacies, psychologists, nursing homes, and other providers. But, these groups become covered if they transmit information electronically for a transaction for which the HHS has a set standard.
#2 Health Plans
This second group covers company health plans, health insurance firms, health maintenance organizations (HMOs), and government programs that foot the healthcare bill, such as Medicaid, Medicare, and military/veteran initiatives.
#3 Healthcare Clearinghouses
This unique group comprises organizations that process non-standard health information from other entities into a standard form such as data content or standard electronic format. They also carry out reverse operations.
The law also permits covered entities to share PHI with business associates if there’s a guiding contract defining how each business associate would handle the data. The contract would also demand the protection of the privacy and security of the specific PHI.
Those businesses will also be responsible for compliance with specific HIPAA provisions.
HIPAA Auditing and Enforcement
The Health and Human Services Office of Civil Rights (OCR) is responsible for auditing organizations to ensure they comply with HIPAA. The collection of covered entities’ contact details was the focus of the second phase of the OCR audit program’s second phase.
The OCR collected questionnaires about the operations, size, and type of each covered entity. Maybe the OCR academized it, but the information helped create pools of potential organizations to audit, and each auditee was a random selection by the OCR.
Key HIPAA Requirements
Covered entities must comply with three main requirements. HIPAA-compliant companies have controls and safeguards that enable them to meet these three requirements:
The Privacy Rule
The privacy of PHI is crucial to HIPAA. The privacy rule puts standards in place to protect medical records and other Protected Health Information. It also specifies parameters on the use and disclosure of PHI without requisite patient authorization.
The privacy rule also offers patients the right to review their health records and ask providers to correct details in their PHI.
The Security Rule
Businesses that HIPAA covers need security standards to protect ePHI or electronic ePHI. The standards cover all the ePHI the covered entity (and their business’s associates) create, receive, use, or maintain.
The OCR says the security rule needs proper administrative, physical, and technical buffers to guarantee a confidential and secure electronically protected health information. Still, businesses can fail at satisfying this rule.
Prompt Notification in the Event of Breach of Unsecured Protected Health Information
The defenses the security rule demands help organizations to avoid breaches. However, if a HIPAA-compliant organization experiences one, they are to notify specific parties depending on the scope and type of breach. The parties include individuals, the Secretary of breaches of unsecured information, and the media.
A breach refers to a non-permitted use or disclosure under the Privacy Rule that infringes privacy or security of the PHI. Breaches are not just the result of hacking or malware activity, and these two account for 23 percent of all HIPAA compliance issues. Employees may also disclose information improperly or expose it to unauthorized users.
Easy Ways to initiate successful HIPAA compliance
The all-important HIPAA security rule features three parts: administrative safeguards, physical safeguards, and technical safeguards. Each one possesses its specific set of specifications, and each one is addressable or required.
You’re not to ignore an addressable specification. Instead, it means safeguard implementation is somewhat flexible. If an addressable safeguard is a good-fit implementation for an organization, they can use an alternative or ignore implementing it.
Note that it’s important to document such a decision and be available to defend it during an audit.
#1 Technical safeguards
It deals with the technology a business employs to protect and access ePHI. In implementing safeguards, the most relevant mechanism, in their opinion, is what an organization should use. The only exception is ePHI encryption.
Companies may fail to:
- Implement an access control mechanism
- Introduce a way to authenticate ePHI
- Implement encryption and decryption tools
- Use audit controls and activity logs
- Ensure computers and other devices log off automatically
#2 Physical safeguards
HIPAA physical safeguards deal with the storage location of ePHI. This location may be cloud-based storage, a data center, a physical location belonging to the covered entity, or another convenient place.
Physical safeguards specify standards for physically safeguarding ePHI.
Companies may fail to fulfill the following requirements:
- Detailed hardware inventory
- Adequate facility access controls
- Policies for workstation use and positioning
- Policies and procedures for mobile devices
#3 Administrative safeguards
Administrative safeguards comprise policies and procedures that regulate a company’s conduct. They also integrate the privacy rule and the security rule into one set of actions and policies. According to HIPAA, there should be one security officer and one privacy officer who have the sole task of implementing these guards.
Again, companies may fall short of full compliance in the following areas:
- Improving employee security awareness through training
- Performing risk assessments
- Implementing a robust risk management policy
- Restraining third-party access
- Reporting security incidents
- Working out a contingency plan
- Testing the contingency plan to expose any weaknesses
While HIPAA deals with a specific variety of information, controls, and safeguards for safeguarding ePHI are similar to those in other cybersecurity frameworks. Therefore, a comprehensive and secured information management program like HIPAAReady can serve as a useful reference and foundation to meet HIPAA requirements. It can centralize all the information and simplify compliance by reducing administrative burden. Ensure your company passes routine HIPAA audits HIPAAReady.