Healthcare information is always sensitive. These details often contain the family's medical history and financial information making it more critical. This made it important for introducing Health Insurance Portability and Accountability Act (HIPAA).
HIPAA Compliance as defined is adherence to the physical, administrative and technical safeguards outlined in HIPAA, which covered entities and business associates must uphold to protect the integrity of Protected Health Information (PHI).
The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
The OCR plays important role in maintaining medical HIPAA compliance in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations. HIPAA through a series of interlocking regulatory rules helps businesses to protect the privacy, security, and integrity of protected health information.
Protected Health Information (PHI) is demographic information that helps to identify a patient or client. This includes names, addresses, phone numbers, Social Security numbers, medical records, financial information, full facial photos etc. This data is transmitted, stored, or accessed electronically hence also known as ePHI and is regulated by the HIPAA Security Rule.
HIPAA was originally introduced to reform the health insurance industry. Fraud and abuse in the healthcare industry have accounted for quite a portion of the total healthcare spending. With the increase in the volume of patient medical and payment information transmitted electronically, it was very important to develop standards to ensure the confidentiality, integrity and availability of electronically transmitted health data. Recommendations on these further strengthen and took the form of the HIPAA Privacy Rule. The critical goals of HIPAA are
1. Privacy of health information
2. Security of electronic records
3. Administrative simplification
4. Insurance portability
The organisations that need to be HIPAA compliant are broadly categorised into two types.
1. Covered Entities - As defined by the HIPAA regulations any organisation that collects, creates or transmits PHI electronically. This includes health care providers, health care clearinghouses and health insurance providers.
2. Business Associates - Any organisation that encounters PHI in a way over the course of work that it has been contracted to perform on behalf of a covered entity. There is a vast scope of service providers that may handle, transmit or process PHI. An example includes billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
These rules and regulations provide guidance for the proper uses and disclosures of PHI, securing PHI and handling PHI breaches. The major rules are mentioned below
* HIPAA Security Rule Amendment of 2003
This outlines the requirements for the protection of ePHI by providing guidelines for technical, physical and administrative safeguards. It applies to both covered entities and business associates. The specifics of the regulations must be documented in the organisation's HIPAA Policies and Procedures. Regular training of the staff on these policies and procedures is mandatory.
* HIPAA Privacy Rule Amendment of 2003
This rule aims at ensuring that PHI is protected and hence sets the standards for the patient's right to PHI. It applies only to the covered entities. The regulatory standards must be documented in the HIPAA compliance policies and procedures. All employees must be trained annually on these.
* HIPAA Breach Notification Rule Amendment of 2009
This contains the set of standards that must be followed by the covered entities and the associates in the event of a breach. It mentions the requirements of breach reporting depending on the scope and size.
* HIPAA Omnibus Rule Amendment of 2013
This rule mandates that business associate must be HIPAA compliant and also follows all the outlined rules as per the Business Associate Agreements (BAA).
HIPAA sets an outline of regulation that must be addressed by all the required entities and the associates
1. Self-audits - The entities and the associates must conduct annual audits to accessing the Administrative, Technical and Physical gaps in compliance with HIPAA.
2. Remediation Plans - Implementing the remediation plans for the gaps identified through the self-audits. These must be properly documented.
3. Policies, Procedures & Employee training - Developing the policies and procedures corresponding to the HIPAA regulatory standards. These must be updated at regular intervals. The staff must be trained annually on these policies and procedures with properly documented consent that the staff has read and understood each of them.
4. Documentation - The organisation must document everything for becoming HIPAA compliant, as this serves as a critical part during HIPAA investigation.
5. Business Associate Management - Covered entities and business associates, similarly document all vendors involved in the PHI handling and execute BAA. The BAAs must be reviewed annually to accommodate the necessary changes.
6. Incident Management - There must be a process to document the breach and notify patients about their compromised data in accordance with the HIPAA Breach Notification Rule.
HIPAA violation is defined as the failure to comply with any of the provisions of HIPAA Rules. There are lots of potential areas where HIPAA Rules can be violated. Some of the violations discovered by OCR during investigations are as -
1. Risk Analysis Failures - Failure to perform a comprehensive, organisation-wide risk analysis. The covered entities and their business associates must conduct a regular risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of PHI.
2. Risk Management Failures - All the identified risks during the analysis must be subjective to the HIPAA-compliant risk management process and reduced to a reasonable and appropriate level.
3. Lack of Encryption or Alternative Safeguards - Encryption or an alternative equivalent safeguard must be considered and implemented to ensure the confidentiality, integrity, and availability of ePHI.
4. Security Awareness Training Failures - A security awareness training program for all members of the workforce should be provided regularly.
5. Improper Disposal of PHI - The expired ePHI must be disposed of securely in a manner that ensures PHI is unreadable, indecipherable, and otherwise cannot be reconstructed.
6. Impermissible Disclosures of PHI - This disclosure is not permitted under the HIPAA Privacy Rule.
7. Failure to Adhere to the Minimum Necessary Standard - The covered entities must limit access to PHI to the minimum necessary information.
8. Failure to Provide Patients with Copies of PHI on Request - The patients must be permitted to access PHI and obtain copies of their protected health information on request.
9. Failure to Enter into A Business Associate Agreement - All the associated businesses must enter into the agreement and adhere to responsibilities for safeguarding PHI.
10. Failure to Issue Breach Notifications Promptly - There must be no delay in issuing the breach notification ad must not be after 60 days from the date of discovery of a breach.
The HIPAA ensures the security of the patient's healthcare information along with easy access to healthcare suppliers. The handling of data security and following compliances has incurred an additional cost to the healthcare sector, but everything has a positive and negative side. In case of non-compliance, the Office for Civil Rights can issue fines. Avoidable data breaches could lead to considerable financial penalties and more. Also, it is very important for organisations and their business associates to understand HIPAA. In order to adhere the organisation must compile privacy and security policies for their employees, and develop a sanctions policy as per HIPAA requirements.
HIPAA address the digitalisation of medical records and mentions the required measures that must be adhered to. The digitalisation of medical records was later supported by the amendments in the HITECH act, making HIPAA up to date. HIPAA is an ongoing exercise and it is advised to take professional advice as ignorance of HIPAA is not an adequate excuse for noncompliance.
HIPAA is not a simple law to comply with and must be taken seriously, taking legal advice will be a better move. Some of the expert security tips for HIPAA compliance from the experts in the industry are as follows
1. Secure data with the required rules and authorised logins
2. Monitor controls with the appropriate working log-ins
3. Assess your access controls at all layers, including the network and software.
4. Carefully handle the business associates working on PHI
Any healthcare organisation and the related business associates must take HIPAA rules seriously and adhere to them continuously. Taking expert advice and keeping the staff updated with regular training will also strengthen the efforts towards the proper following of HIPAA rules. If you need more clarifications on the HIPAA rules and need assistance applying HIPAA compliance in your organisation contact our HIPAA experts.