The Health Insurance Portability and Accountability Act, known among practitioners as HIPAA, contains more than 100 requirements when it comes to three main categories: security, privacy, and breach notification. An expectation across the board with organizations is to have a comprehensive risk analysis completed regularly, a risk management plan, regular employee training, and implementation of security policies and procedures. All of this is much easier said than done which is why many organizations are still failing to meet this requirement. Especially as electronic health records have become more standard in the industry.
Unlike many industries, healthcare faces a steep cost for becoming the victim of a data breach while not being HIPAA compliant. For an organization that is breached they can possibly face fines of up to $1.5 million per HIPAA violation per year. This does not include the other costs that come with a data breach including: new process development, individual victim credit monitoring, FTC fines, class action lawsuits, patient loss, and possibly action from Attorney Generals.
While larger medical organizations seem to understand the importance of protecting patient data, research from SecurityMetrics more than half of organizations surveyed were not testing their workforce for HIPAA training. Additionally 40% of respondents could not confirm if their organization uses multi-factor authentication when it comes to patient data access. This is an HIPAA violation, and it’s very alarming and does not paint an optimistic outlook for the second round of HIPAA audits coming from the OCR.
Thankfully ITSC has compiled a checklist and guide to ensure that you will pass your audit when the time comes.
If you are attempting to meet compliance, it is important to understand what your scope of responsibility is. There are two categories of organizations that the HIPAA law recognizes: covered entities (CE) and business associates (BA). Let’s start by defining what these two are and how even businesses who are not traditionally considered part of the healthcare industry can potentially need to follow HIPAA as well.
You are a CE if you are a health plan, healthcare clearinghouse, or a healthcare provider. Essentially any organization involved with digitally handling and transmitting sensitive medical and personal data. All medical specialties, insurance companies, pharmacies, research firms, and even education institutions in some cases are all required to follow HIPAA as a CE. There are cases where one organization can be considered both a CE and BA, which is much more common when partnerships are developed between organizations.
Any person or organization can be considered a BA if they handle any personal health information (PHI) under any circumstance. It is here where you will find organizations not traditionally considered in the healthcare industry will need to follow HIPAA. Meeting compliance in this case is the cost of doing business with the healthcare industry. BA can be consultants, accountants, financial firms, data analytic firms, or even other medical providers. Basically anyone who has to use PHI to perform their jobs. Business Associates should map out exactly how PHI from CE flows into their organization, how it is processed, how it is stored, and finally what happens once the data leaves the organization. Network segmentation is one the most effective methods to better manage PHI data from a client or partner.
It is important to understand if you fall into only one category or into both. Good rule of thumb is if you have a medical partnership, you likely belong in both categories. You can read more about scope from the OCR’s online HIPAA resource page for professionals. You can also use the online tool that was developed to answer the question of what category you fall under. Now that we understand some of the basics about scope let us explore what rules organizations are expected to follow.
What to Expect
There are three rules included in HIPAA, each with their own set of specific requirements. Below you will find an overview of each rule and how it applies to your organization.
The Security Rule
HIPAA was the first regulation that standardized the security of electronic personal health information. According to the OCR the goal of the Security Rule is:
“A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.”
The Security Rule applies to every CE and their BA. According the OCR, contained within the Security Rule are specifications that require every CE to:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Any CE will be required to address the following:
- Risk Analysis and Management
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Required Implementation Specifications
- Organizational Requirements
- Policy, Procedure Documentation
To familiarize yourself with this specific rule, please see the OCR’s summary of the Security Rule.
The Breach Notification Rule
This specific rule requires covered entities and their business associates to notify affected individuals, the HHS Secretary, and in some cases the media. If a covered entities business associate is breached then they need to immediately notify the covered entity without unreasonable delay. Additionally, not only are organizations required to provide notice of a data breach, but must also demonstrate through documentation that they have done so.
The Breach Notification Rule requires an alignment of processes, communication, procedures, and coordination to be carried out. This means that every organization will need an incident response plan. Employees need to understand how and when their roles and responsibilities change when there is a data breach. For a comprehensive incident response plan an organization should:
- Identify and Prioritize Data Assets
- Identify Risks
- Establish Procedures
- Organize Response Team & Roles
- Continuously Train Staff
The Privacy Rule
The final rule of HIPAA compliance is the Privacy Rule. The goal of the Privacy Rule is to make sure personal health information is protected while being shared among organizations for quality service. Most healthcare organizations have tried to uphold this rule by way of their ethical commitments to patients. HIPAA has required a few more safeguards that ensure patient health data exposure is minimized. The Privacy Rule defines patients rights and administrative responsibilities. CE and BA organizations are expected to implement privacy policies and procedures and uphold HIPAAs data usage rules and definitions. Additionally, the workforce of an organization is expected to be trained on HIPAA privacy rules and data usage. Two of the most prominent aspects of the Privacy Rule are the patient authorization requirements and the minimum necessary requirement.
Most of the requirements in the Privacy Rule can be achieved by maintaining good security standards and with the right internal threat security software.