Everything changed in 1996 when the Department of Health and Human Services (HHS) sponsored the Health Insurance Portability and Accountability Act (HIPAA). This public law (104-191) created national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. While it was designed to protect patient data, it complicated practitioners’ and Business Associates’ operations.
Being HIPAA compliant can be tricky, costly, and overwhelming for small medical providers or business associates. The functional, operational, and technical requirements are challenging to implement correctly; leaving patients ePHI (Electronic Protected Health Information) exposed due to complexity and costs involved. Daunting regulations coupled with constantly changing technical environments challenge even the most seasoned compliance officers and support teams.
Despite being a federal law for over 25 years, many health care providers and business associates find it challenging to comply with the technical requirements of HIPAA; sometimes willfully, other times accidentally. This blog will walk you through several key elements and requirements starting off with determining your requirements to be compliant.
Who is Responsible?
Both covered entities and business associates are responsible for maintaining ePHI. Organizations are responsible for identifying the type of ePHI it has, how it is collected, managed, transmitted, and the rules surrounding ePHI.
Covered Entities generally include:
Healthcare Providers: Includes all persons or organizations that electronically transmit PHI in connection with certain transactions, such as:
- Doctors and clinics: Physicians, specialists, dentists, optometrists, etc.
- Hospitals and other healthcare facilities: Nursing homes, mental health facilities, rehabilitation centers, etc.
- Pharmacies: Dispensing and managing prescription medications.
- Laboratories and other diagnostic testing facilities: Processing and reporting medical tests.
Health Plans: This includes organizations that provide or pay for medical care, such as:
- Health insurance companies
- Employee health plans
- Government-sponsored health programs like Medicare and Medicaid
- Healthcare Clearinghouses: Organizations processing non-standard health information into standardized formats or vice versa, often acting as intermediaries between providers and payers.
Business Associates
- Organizations providing services to covered entities having access to ePHI.
- Organizations may include: IT Service Providers, often Software as a Service with ePHI access.
- Cloud Service providers if they store ePHI.
- Data Disposal and destruction companies
- Marketing and advertising companies
- Not all interactions with covered entities create a business associate relationship. Factors like the nature of the service, access to PHI, and contractual agreements determine if an entity becomes a business associate.
What does it mean to be HIPAA Compliant?
Being HIPAA compliant and protecting individuals’ Protected Health Information (PHI) is a complex process. HIPAA rule set is inclusive of the original act and additional regulations added over the years.
Step 1 – Implement Safeguards: HIPAA outlines various safeguards for Confidentiality, Integrity, and Availability of PHI. Safeguards map back to regulations and frameworks for implementation and testing requirements.
- Physical safeguards: Securing physical access to PHI, like locked doors and restricted areas.
- Administrative safeguards: Establishing policies and procedures for handling PHI, including employee training, access controls, and risk assessments.
- Technical safeguards: Implementing technological solutions like encryption to protect electronic PHI and firewalls to prevent unauthorized access.
These safeguards are a rollup of specific requirements dictated in the HIPAA act of 1996 and its subsequent updates and add on regulatory requirements.
- The Privacy Rule was first published in December 2000 and modified in August 2002, with the implementation requirement in April 2003. It set national standards for protecting individually identifiable health information for three covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003.
- The Security Rule of February 2003 with the implementation requirement in April 2003. set national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
- The Enforcement Rule establishes standards for enforcing all the Administrative Simplification Rules.
- Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 implements security and privacy by extending the rules of the pre-existing HIPAA law to more and different kinds of businesses, and by adding tougher reporting and enforcement provisions.
- The Omnibus Rule of 2009 implements several provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
HIPAA and its associated legislation undergo periodic updates. This is a summary of 2024 scheduled updates. Visit HHS.gov for additional information.
Strengthened Cybersecurity
- Enhanced Risk Assessments: Covered entities are required to conduct more comprehensive risk assessments to identify and address potential vulnerabilities in their systems and processes. This should include Technical, Administrative, and Functional risks.
- Improved Incident Response Plans: Covered entities should have a robust incident response plan addressing data breach and cyberattacks. There will be an emphasis on timely response and reporting.
- Data Encryption: Implement stronger data encryption practices for protected health information (PHI).
Changes to Patient Rights and Access
- Right to Access PHI: Provide patients with access to their PHI electronically at no cost from covered entities, if readily available.
- Expanded Access for Care Coordination: PHI can be shared between covered entities involved in the patient’s care, with the patient’s authorization, to improve care coordination.
- Minimum Necessary Standard: This standard now applies to individual-level care coordination and case management uses and disclosures of PHI.
Additional Considerations
- Healthcare Sector Cybersecurity Framework is being developed by the Department of Health and Human Services (HHS) to enhance cybersecurity efforts in the healthcare sector (not officially implemented in 2024)
- Modification to the HIPAA Privacy Rule by the Office for Civil Rights (OCR) to empower patients, improve care coordination, and reduce regulatory burdens.
Step 2 – Create a Compliance Program – The first step is understanding and implementing all the HIPAA rules. The second step is creating an environment where they are taught to all users, practiced at all levels, and effectively tested.
- Compliance Management: Identify a HIPAA Compliance Officer to oversee program implementation and enforcement. This role should include the organization’s practice areas, technology, and cybersecurity. It should report to a compliance committee for broader program development and enforcement.
- Create & Review Policies, Procedures, and Controls. Create and adapt policies outlining how you handle PHI, including acceptable uses, disclosures, minimum access standards, and proper handling guidelines. Create Controls to test and validate your policies and procedures. Periodically review the program ensuring alignment with regulatory and business changes.
- Train and educate: Regularly train all staff who handle PHI on HIPAA requirements, security measures, and proper information handling practices. Training should also address application usage and current cyber threats.
- Communications: Create an environment where violations are easily identified and reported. Establish clear and accessible methods for reporting potential HIPAA violations or concerns. Leverage hotlines, email addresses, or designated staff members.
- Create a Business Associate Program: Whether you are a Covered Entity or a Business Associate, you are responsible for establishing a Business Associate program for all ePHI that you delegate to a third-party provider.
- Conduct Risk Assessments: Identify and address potential vulnerabilities in their systems and processes.
Step 3 – Address Violations – HIPAA violations can result in significant penalties, stemming from regulatory fines and civil actions. Create plans and practice:
- Incident response: Create a formal Incident Response plan for security breaches and data leaks. Your plan should address team mobilization, leadership escalation, law enforcement involvement, cyber insurance, and regulatory reporting with associated reporting. Consider integrating with Disaster Recovery and Business Continuity programs.
- Reporting: Follow required reporting procedures to the Department of Health and Human Services (HHS), affected individuals, and shareholders (8K). Consult legal staff for specific requirements and reporting formats.
Step 4 – Create Strategic Partnerships - Do not attempt to create a strategic HIPAA program yourself. Align with HIPAA service providers; providers who fully understand and practice HIPAA compliance.
- Include using software or SaaS providers built for HIPAA purpose.
- Leverage a partner to conduct periodic technical and functional assessments.
- Leverage a third-party training partner that has specific HIPAA curriculum and the ability to add your specific training requirements, train constantly.
Being HIPAA compliant demonstrates an organization’s commitment to protecting patient privacy and safeguarding sensitive health information. It’s essential for healthcare providers and related entities to understand and comply with these regulations to maintain patient trust and avoid legal repercussions.
Next Steps
Become strategic by aligning your business, operations, cybersecurity, and technical to HIPAA requirements in a single plan. Conduct a HIPAA based technical and functional assessment to identify weaknesses then plan for remediation. Connect with us today and maintain compliance with the help from an ISOutsource Trusted Advisor.