How to Become HIPAA Compliant? All Rules You Need to Know

What is HIPAA Compliance?

The HIPAA sets the standard for sensitive patient data protection. Organizations that deal with protected health information (PHI) must conduct physical, network, and process security measures and obey them to ensure HIPAA Compliance.

Covered entities (anyone giving treatment, payment, or operations in healthcare) and business associates (anyone with access to patient information who provides support in treatment, payment, and operations) must comply with HIPAA Compliance.

Other entities, like subcontractors and any other related business associates, must meet this federal compliance.

What Does HIPAA Stand For?

HIPAA establish industry-wide guidelines to guard the confidential use of personal healthcare information.

Who Enforces HIPAA?

The chief enforcer of this act is the Department of Health and Human Services Office for Civil Rights (OCR).

Anyway, the implementation of the HITECH (Health Information Technology for Economic and Clinical Health) Act into HIPAA in 2009, gives state attorneys general the power to assist OCR in the enforcement of HIPAA.

The CMS (Centers for Medicare and Medicaid Services) also has some enforcement powers, and the U.S. FDA (Food and Drug Administration) and the FCC (Federal Communications Commission) have participated in HIPAA enforcement to a certain level.

Who Needs to Be HIPAA Compliant?

The short answer is that the HIPAA rule refers to both covered entities and their business associates.

Covered Entities

Health care providers, health plans, along healthcare clearinghouses, are all covered entities, according to the U.S. Department of Health & Human Services.

• Healthcare providers are hospitals, clinics, nursing homes, pharmacies, doctors, psychologists, dentists, and chiropractors that need to be HIPAA compliant;
• Health plans involve health insurance companies, health maintenance organizations, company health plans, Medicare, and Medicaid. Additionally, schools and employers that handle PHI in order to enroll their students and employees in health plans fall under the health plan definition and must be HIPAA compliant;
• Health care clearinghouses take information from a healthcare entity, put the data into a standard format, and then output the data back out to another health care entity. They should be HIPAA compliant too.

Business Associate

A business associate is an individual who, on behalf of the covered entity, performs a function or activity, including the use or disclosure of PHI.

Here are some examples of business associates:

• Data storage or document storage services
• Providers of data transmission services, portals, and other platforms created in the name of covered entities that enable patients to share their data with the covered entity
• Electronic health information exchanges
• If a vendor delegates a covered function or activity to someone, then that entity is considered as a subcontractor
• Some business associates avoid PHI like the plague since they don’t want this information anywhere near their service. However, avoidance doesn’t necessarily excuse them from becoming compliant
• If a covered entity sends PHI through a vendor and the vendor’s servers store this information, then they’re considered aa a business associate and subject to the HIPAA Security Rule

Several instances of potential business associates are presented below:

• Data processing or software companies that may be exposed to or use PHI;
• Medical equipment service firms handling equipment that holds PHI;
• Medical transcription services;
• e-Prescribing services;
• Shredding and/or documentation storage businesses;

• Lawyers;
• External auditors and accountants;
• Professional translator services;
• Answering services;
• Accreditation agencies;

On the contrary, these people aren’t business associates:

• Covered entity’s workforce;
• Companies or individuals with very limited and incidental exposure to health information, like a telephone company, electrician, and so on;
• Firms that act as a conduit for PHI, including the postal service, UPS, private couriers, etc.

HIPAA Requirements

Every business associate and a covered entity that has access to PHI must ensure the technical, physical and administrative safeguards are in place – that they comply with the HIPAA Privacy Rule in order to defend the integrity of PHI. In case a breach of PHI happens – they follow the procedure from the HIPAA Breach Notification Rule.

All policies, risk assessments, and reasons why addressable safeguards haven’t been applied must be documented if a breach of PHI happens, and an investigation takes place to establish how the breach occurred.

Each of the HIPAA requirements is covered in further detail below. Companies unsure of their obligation to comply with the HIPAA requirements should look for professional advice.

HIPAA Security Rule

The HIPAA Security Rule has the standards that must be implemented and ePHI (electronic protected health information –  produced, saved, transferred, and received in an electronic form) when it’s at rest and in transit.

It refers to anybody or any system that has access to detailed patient data.

Access means having the resources necessary to read, write, modify, or communicate to ePHI and personal identifiers that disclose the identity of an individual.

There’re three parts of this rule – technical safeguards, physical safeguards, and administrative safeguards.

Technical safeguards

The technical safeguards apply the technology used to protect ePHI and provide access to the data. The only condition is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it goes beyond an organization’s internal firewalled servers.

This’s so that any breach of confidential patient data makes the data unreadable, undecipherable, and unusable.

Therefore, companies are free to choose whichever mechanism are most appropriate to:

• Incorporate a means of access control – This isn’t only the assigning a centrally-controlled username and PIN code for each user but also determining procedures to manage the release or disclosure of ePHI during an emergency;
• Use a mechanism to authenticate ePHI – This mechanism is crucial in order to meet HIPAA regulations as it verifies whether ePHI has been changed or destroyed in an unauthorized manner;
• Implement encryption/description tool – It refers to the devices used by authorized individuals, which need to encrypt messages when they’re sent beyond an internal firewalled server and decrypt those messages when they’re received;
• Apply activity logs and audit controls – The audit controls required under the technical safeguards registered attempted access to ePHI or record what’s done with data once it has been accessed;
• Facilitate computer’s/device’s automatic log-off – This functionality logs authorized personnel of the device they’re using to access/communicate ePHI after a pre-defined period. It prevents unauthorized access to ePHI.

Physical safeguards

The physical safeguards concentrate on physical access to ePHI despite its location. ePHI could be stored in a cloud, remote data center, or on servers,  which are located within the premises of the covered entity.

They also determine how workstations and mobile devices should be secured from unauthorized access:

• Facility access controls should be incorporated – Supervises who has physical access to the location where ePHI is stored, includes software engineers, cleaners, etc. The procedures must also involve safeguards to prevent unauthorized physical access, theft, and tampering;
• Policies for the use and positioning of workstations – Policies must be devised and applied to reduce the use of workstations and command how functions will be performed on the workstations;
• Policies/procedures for mobile devices – If a user has permission to access ePHI from their smartphones, policies must be devised and incorporated to govern how ePHI will be removed from the devices if the user leaves the company or the device is old, re-used, etc.;
• Inventory of hardware – An inventory of all hardware needs to be controlled together with a record of the movements of each equipment. A retrievable correct copy of the ePHI must be made before any item is moved.

Administrative safeguards

Administrative safeguards are critical elements of this compliance. They request that a privacy officer and a security officer be assigned to put measures to protect ePHI, while they also manage the conduct of the workforce.

The administrative safeguards involve.

• Conduct risk assessments – Among the security officer’s primary tasks is the compilation of a risk assessment to detect every area in which ePHI is being used, and to establish all of how breaches of ePHI could happen;
• Implement a risk management policy – The risk assessment must be repeated at regular intervals with proper measures to minimize the risks to a safe level. A sanctions policy for workers who fail to meet these regulations must also be conducted;
• Employee training – Training schedules must be taken to raise awareness of the policies/ procedures governing access to ePHI and how to identify malware and malicious software attacks. All training must be documented;
• Develop a contingency plan – In the case of an emergency, a contingency plan must be ready to allow the continuation of essential business processes while guarding the integrity of ePHI while a company operates in emergency mode;
• Test a contingency plan – The contingency plan needs to be tested periodically to evaluate the relative criticality of specific apps. Also, there must be accessible backups of ePHI and procedures to restore lost data in the case of an emergency;
• Restrict third-party access – It’s paramount to ensure ePHI isn’t accessed by unauthorized parent organizations or subcontractors, and that Business Associate Agreement is signed with partners who will get access to ePHI;
• Report security incidents – It requires covered entities to apply necessary procedures and practices to report security incidents.

HIPAA Privacy Rule

It defines how ePHI can be used and disclosed. In effect from 2003, the Privacy Rule refers to all healthcare organizations, the providers of health plans plus employers, healthcare clearinghouses, and, from 2013, the business associates of covered entities.

It means that appropriate safeguards are applied to protect the privacy of PHI. Privacy Rule also sets limits/conditions on the use and reveals that information without patient authorization.

The rule also provides patients or other nominated representatives with rights over their health data, including the right to get a copy of their health records or examine them and the ability to demand corrections if needed.

Under this rule, covered entities are obligated to respond to patient access requests within 30 days. NPPS (Notices of Privacy Practices) must also be released to inform patients and plan members of the circumstances under which their information will be used or shared.

Covered entities should also:

• Provide training to employees to ensure they’re aware of what information may and may not be shared outside of an organization;
• Ensure proper steps are taken to keep the integrity of ePHI and the patients or individual personal identifiers;
• Make sure that written permission is procured from patients before their health information is used for purposes such as fundraising, research, or marketing.

Covered entities must secure their patient authorization forms have been updated to add the disclosure of immunization records to schools, including the option for patients to restrict revealing of ePHI to a health plan (if they have paid for a procedure privately) and also the choice of providing an electronic copy to a patient when it’s requested.

HIPAA Breach Notification Rule

This rule demands from covered entities to inform patients when there’s a breach of their ePHI.

It also requests entities to quickly notify the Department of Health and Human Services of such ePHI breach and release a notice to the media if the breach affects more than 500 individuals.

There’s also a requirement to report smaller breaches – those affecting fewer than 500 patients – though the OCR web portal. These smaller breach reports should perfectly be made once the initial investigation has been done. The OCR only demands these reports to be made annually.

Breach notifications should include the following.

• The nature of the ePHI involved, like the types of personal identifiers exposed;
• The unauthorized individual who used the ePHI or to whom the disclosure was made;
• Whether the ePHI was acquired or viewed;
• The volume to which the risk of damage has been alleviated;
• Breach notifications need to be made without unreasonable delay and no later than 60 days from the discovery of a breach.

When informing a patient of a breach, the covered entity must explain to the individual what steps they should apply to protect themselves from prospective harm; include a brief description of what the covered entity is doing to scrutinize the breach and the actions taken so far to preclude further breaches or security incidents.

HIPAA Omnibus Rule

It’s introduced to address several areas that had been excluded by previous updates to HIPAA.

This regulation modifies definitions, defines procedures and policies, and expands the HIPAA compliance checklist to envelop business associates and their subcontractors.

Vendors are categorized as any individual or organization that creates, receives, maintains, or transmits PHI in the course of executing functions on behalf of a covered entity.

The term business associate also involves contractors, consultants, data storage companies, health information organizations, and any subcontractors hired by Business Associates.

The Omnibus Rule changes HIPAA guidelines in 5 core sectors:

• Incorporation of the final amendments as required under the HITECH Act;
• Implementation of the increased, tiered civil money penalty structure as required by HITECH;
• Introduces changes to the harm threshold and includes the final rule on Breach Notification for Unsecured Protected Health Information among the HITECH Act;
• Modification of HIPAA to involve the provisions made by the GINA (Genetic Information Nondiscrimination Act) to ban the disclosure of genetic information for underwriting purposes;
• Prevents the use of personal identifiers and ePHI for marketing purposes.

How to Get HIPAA Certification?

HIPAA doesn’t obligate employees to have any specific training program to obtain HIPAA certification, only that healthcare staff must be trained on these rules and need to confirm, in writing, that they have been given HIPAA training.

For covered entities and business associates, it means training has been given – as necessary and suitable for workforce members to carry out their functions.

Since these rules are complex, HIPAA training agencies are often hired. The companies contract HIPAA compliance professionals who teach healthcare personnel the aspects of HIPAA that are applicable to their role in the organization – like the handling of protected health information as well as allowable uses and disclosures of PHI.

This act requires covered entities to apply a security awareness and training program for all members of the workforce. Any certification awarded will confirm that employees have finished their training and possibly tested on their knowledge of HIPAA standards.

The certification may be beneficial when looking for a job, but it’s not recognized by any federal agency.