The cornerstone of privacy and security in the healthcare industry is HIPAA. If you are part of the healthcare or health-tech industries, you know that your product or company needs to comply with the HIPAA compliance framework. It’s not optional; it’s US federal law. But how do you get HIPAA-certified? Do all companies in the healthcare sector need to be HIPAA-compliant? And what can happen if you are not compliant?
In this blog, we explore these questions and more so that you can have a basic understanding of this popular compliance framework. Well, let’s get into it!
What is HIPAA?
First up, let’s get the most basic information out of the way. So what is HIPAA?
HIPAA stands for the Healthcare Insurance Portability and Accountability Act (HIPAA), which was signed into US federal law in 1996 by President Clinton.
The overarching purpose of HIPAA is to keep patients’ protected health information (PHI) — any individually identifiable health information such as names, email addresses and SSNs — safe and secure. HIPAA was enacted to increase the portability and accountability of health insurance coverage for employees who switch jobs, as well as to provide coverage for people with pre-existing medical conditions and to streamline health insurance administration. It is critical to understand HIPAA and how to stay compliant with its standards if your organization operates in the healthcare industry or is a supplier to that industry and has access to PHI.
HIPAA embraces three key rules: the security rule, the privacy rule, and the breach notification rule. Each of these rules covers a variety of standards meant to ensure PHI remains secure and private. If there is a security breach or other unauthorized PHI disclosure, prompt notification must be provided to the Department of Health and Human Services (HHS), patients, and in some cases the media.
The Security Rule of HIPAA Compliance
HIPAA provides a comprehensive set of regulations, the most important of which is the Security Rule. This rule establishes protections to ensure the confidentiality, integrity, and accessibility of digitally protected health information (ePHI). The Security Rule outlines three types of security precautions that must be in place for a corporation to be in compliance with HIPAA: administrative, physical, and technical.
Include hazard analysis as part of a company’s security management processes, such as determining the probability and impact of potential ePHI risks, enforcing safety measures to address identified risks, documenting security actions to be taken, and maintaining ongoing and appropriate safeguards. Administrative safeguards include appointing a designated official representative or team to oversee HIPAA security policies and procedures, implementing role-based access to ePHI, providing employee training, and assessing how well a company’s policies and procedures adhere to the Security Rule on a regular basis.
To protect ePHI, policies should be in place for limiting and managing physical access to facilities while allowing authorized access, as well as implementing policies and procedures for access to and use of workstations and electronic media, as well as ensuring that policies are in place for transfer, removal, disposal, and reuse of electronic media.
Implementing ePHI access control policies, audit control mechanisms for recording and examining access and activity in systems interacting with ePHI, integrity controls to ensure and confirm that ePHI is not improperly altered or destroyed, and transmission security measures to protect against unauthorized ePHI access while ePHI is being transmitted over a network are just a few examples.
Which organizations need to comply with HIPAA?
HIPAA applies to two kinds of organizations.
First, there are covered entities (CE’s). These are people and organizations that directly create PHI, such as doctors, clinics, and hospitals. Health insurance firms and health care clearinghouses, which handle health information, are also covered entities.
Second, there are Business Associates (BA’s). People or businesses who provide services to a CE involving the use or disclosure of protected health information are business associates. These can include a vast range of firms providing services such as claims processing, telemedicine communications services, data processing and backup, and mobile health applications. Every BA must execute a Business Associate Agreement (BAA) with the CE to which it is providing services, which must be reviewed annually.
Relevance of HIPAA Compliance
Before HIPAA, there was no single common group of security standards and practices to protect confidential patient information. HIPAA established rules to ensure that healthcare institutions are actively securing data and protecting patient privacy, as well as to impose penalties for those who do not comply with the law.
In the years since HIPAA went into force, technology has evolved to make way for countless improvements in healthcare IT. Notably, paper records have given way to to electronic records for everything from patient clinical records to billing.
Digitization of healthcare-related information has meant that the diligent protection of patient PHI has become increasingly important. As ever greater quantities of such data flows through the many computerized systems of covered entities and their business associates — electronic health records, pharmacy and laboratory information, and so on – vulnerabilities to security breaches increase in number. Firms must be able to implement new technologies while preserving the safety and security of patient PHI.
To ensure HIPAA compliance, your company should develop and implement a comprehensive data protection strategy that addresses all aspects of HIPAA compliance while ensuring the security and privacy of PHI. This is fundamental to maintaining the trust of patients and those with whom you do business.
When Does a HIPAA Violation Occur?
A HIPAA violation occurs when a rule or standard of HIPAA is not followed.
Here are a few examples of control failures connected to the most common HIPAA violations:
- Disclosure of PHI to a third party, without a signed Business Associate Agreement
- Failure to remove access to PHI when it is no longer required
- Patient information being stolen
- Using PHI incorrectly
- Failure to carry out a thorough risk assessment
- Lack of documented HIPAA compliance training for all relevant employees
- Failure to execute a Business Associate Agreement with every BA
Violation Tiers of HIPAA
The degree of the offense determines the penalty that an organization will face. Significant offenses, especially those that have been permitted to continue for an extended length of time, result in a range of financial penalties. Penalties can be divided into four categories:
These infractions are not deliberate. The person or entity in question may not have been aware that they were in violation. Penalty: A minimum fine of $100 per infringement is imposed, with a maximum fine of $50,000.
These violations are not deliberate, but they are cases when the individual should have been aware of the offense prior to it occurring. Penalty: $1,000 minimum fine for each offense, with a maximum fine of $50,000.
The action is negligent in this category. The individual or entity is aware of the infraction and must act quickly to mitigate the consequences. Penalty: Minimum fine of $10,000 per violation, with a maximum fine of $50,000.
The these are offenses that are intentional or negligent. There was no attempt to safeguard information or to address the infraction. Penalty: A minimum fine of $50,000 is imposed for each infraction.
The majority of the time, the solution to a violation is to amend the offending policy or procedure and/or create a plan to become compliant within 30 days.
HIPAA requires that CEs perform regular self-audits to assess their compliance. This process involves performing risk assessments to identify any compliance gaps, which in turn need to promptly resolved. Records of such assessments and the steps taken to fix any of the gaps identified need to be centrally maintained.
CE’s must also vet the BA suppliers with whom they do business, not just when the BA agreement is signed, but also on an ongoing basis.
Many organizations go beyond self-audits to engage an independent auditor to perform risk assessment and review documentation which shows the organization’s policies, processes for identifying compliance gaps, and evidence that steps have been promptly taken to plug those gaps. Such external audits have greater credibility than self-audits alone.
HIPAA Compliance with Akitra
We know, we know… it can all be a little daunting. But don’t worry, Akitra provides a compliance automation platform, Andromeda Compliance, to guide you through the compliance process.
Akitra provides a comprehensive suite of HIPAA policies and controls to provide a solid compliance foundation, along with automated evidence gathering so that you can prove compliance. If you are already compliant we can help you stay compliant through continuous monitoring of your company’s IT systems and processes that handle of confidential patient information.
Akitra’s HIPAA compliance experts are also part of the service, and will provide you with the guidance you need to confidently implement your HIPAA compliance program – and stay compliant.
Choose Akitra TODAY for your HIPAA compliance needs!
To book your FREE DEMO, contact us right here.