For healthcare organizations, a cyberattack is not just a security issue but the beginning of a slew of financial and criminal penalties under the Health Insurance Portability and Accountability Act (HIPAA). With the veritable treasure trove of data they collect, healthcare providers and hospitals have always been attractive targets for cybercriminals.
This year alone, out of the seven Worst Hacks and Breaches of 2022 listed in Wired, the cyberattack on U.S.-based healthcare organizations was fourth on the list. In one case, the breach compromised the data of nearly two million patients, while another company reportedly paid an undisclosed amount as ransom to restore their digital systems.
In the current security landscape, where the occurrence of a breach is only a matter of “when” rather than “if,” it is crucial that businesses in the healthcare sector become extremely knowledgeable about HIPAA.
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that came into effect in 1996 and established best practices to enhance the security and privacy of sensitive medical data.
HIPAA compliance creates protocols for protecting patient information in the health industry. Doctors, hospitals, clinics, labs, cloud providers or anyone working with healthcare providers are expected to have security standards in place that ensure the privacy, security and integrity of protected health information (PHI).
What is protected health information (PHI)?
The term protected health information or PHI is generally used to refer to medical records containing data that can potentially identify a person. The PHI is protected under the HIPAA Privacy Rule.
What are some examples of PHI?
Common health information considered to be PHI includes:
- Social security number
- Demographic information
- Lab test results
- Procedure details
- Personal medical history
- Family medical history
Who has to be HIPAA compliant?
As per the HIPAA Rule, all covered entities and their business associates who handle protected health information (PHI) must be HIPAA compliant.
Covered entities are defined in the HIPAA rules as healthcare providers, healthcare plans and healthcare clearinghouses that electronically store or transmit protected health information (PHI).
In many cases, the covered entities rely on vendors who have access to their PHI data. In such instances, the covered entities may grant access to “business associates” after signing a business associate agreement (BAA). The BAA outlines the responsibilities of the vendor and the need to comply with HIPAA Rules. A HIPAA business associate could be any entity, individual or company.
Business associates under HIPAA include:
- Software providers
- Cloud service providers
- Cloud platforms
- Document storage companies (physical and electronic storage)
- Medical billing companies
- Answering services
- Medical device manufacturers
- CPA firms & others
What are the four main rules of HIPAA?
While framing the HIPAA compliance initiative for your organization, it is crucial to understand the rules of the Act to ensure you meet the compliance standards. The HIPAA Laws and Regulations are divided into four core rules — Privacy Rule, Security Rule, Breach Notification Rule and Omnibus Rule. Your entire organization needs to understand these rules thoroughly.
Here is a brief look at each rule:
1. HIPAA Privacy Rule
The HIPAA Privacy Rule, which came into effect in 2003, established regulatory protocols on “protected health information” and defined standards on what PHI can be shared, how it is shared, and under what circumstances it can be used or disclosed.
The HIPAA Privacy Rule applies to all covered entities. Since 2013, the business associates of covered entities have also been brought under the regulatory framework.
2. HIPAA Security Rule
The HIPAA Security Rule deals with the overall integrity and privacy of the electronic Protected Health Information (ePHI). It requires the implementation of three types of safeguards to ensure ePHI is safe from unauthorized access. They are:
- Administrative Safeguard outlines security management processes, documentation processes, roles and responsibilities, training requirements and data maintenance.
- Physical Safeguard outlines policies to ensure data is physically protected.
- Technical Safeguard outlines policies to manage the security of ePHI. Technical safeguards include hardware, software and other technology that limits access to e-PHI.
3. HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule mandates covered entities and their business associates to inform patients, the HHS and sometimes the media of data breaches within 60 days of an incident.
The Rule mandates that breach notifications should include the following information:
- Details of the breach
- Types of personal identifiers exposed
- Precautionary measures the victims must take
- Details of corrective measures that have been taken
- Details of the investigative action taken
4. HIPAA Omnibus Rule
The HIPAA Omnibus Rule was introduced in 2012 to update and clarify several provisions in the HIPAA Privacy, Security, Enforcement and Breach Rules. It included changes in definitions, procedures and policies to reform areas that had been omitted in previous HIPAA updates.
The Omnibus Rule introduced amendments to five key HIPAA regulations:
- The rule made it mandatory for healthcare providers to report data breaches that have been deemed unharmful
- It made business associates of covered entities directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements
- It prohibited the use of PHI and personal identifiers for marketing purposes
- It introduced changes in the HIPAA Enforcement Rule to incorporate the increased and tiered civil monetary penalty structure provided by the HITECH Act
- It prohibited most health plans from using or disclosing genetic information for underwriting purposes
What constitutes a HIPAA violation?
A HIPAA violation is any failure to follow HIPAA standards and provisions. Violations take place when protected health information (PHI) is accessed or used without the permission of the patient.
Covered entities or business associates can be found to have violated HIPPA if they fail to train their employees on security awareness and HIPAA compliance best practices. Similarly, withholding details of a breach from affected individuals and, in some cases, from media is also considered a HIPAA violation.
What are examples of HIPAA violations?
Here is a brief list of common HIPAA violations:
- Failure to keep PHI secured
- Failure to encrypt ePHI
- Failure to perform a routine risk analysis
- Failure to provide patient access to health records
- Failure to sign Business Associate Agreement with BAs before sharing to PHI
- Failure to encrypt ePHI on a portable device
- Failure to provide staff security awareness training
- Downloading PHI on unauthorized devices
- Leaving portable electronic devices and paperwork unattended
- Publishing photographs of patients on social media
- Disclosing PHI to a patient’s employer
- Disclosing PHI after the expiration of a patient’s authorization
What are the consequences of HIPAA violations?
HIPAA violations carry hefty fines that can hurt or even force an organization out of business. The Department of Health and Human Services’ Office for Civil Rights (OCR) and State Attorneys General impose the penalties for HIPAA violations depending on whether the violation was deliberate or unintentional.
Authorities can impose jail time on top of fines and penalties, depending on the severity of the violation. There are four HIPAA violation categories, and each has a minimum and maximum limit to cap the fine amount. The fines for HIPAA violations are adjusted annually.
Here is a brief synopsis of each tier:
Tier 1: Entities or business associates were unaware of the violation despite following due diligence. The minimum fine effective from March 17, 2022 is $127 and the maximum is $63,973. The maximum penalty that can be levied against an organization in a year is now $1,919,173.
Tier 2: The violation falls short of willful neglect of HIPAA Rules. The minimum fine is $1,280 and the maximum is $63,973, with a calendar-year cap of $1,919,173.
Tier 3: The violation was caused by willful neglect of HIPAA rules but was corrected within 30 days. The minimum fine is $12,794 and the maximum penalty is $63,973. The maximum fine in a calendar year is $1,919,173.
Tier 4: A violation was caused by willful neglect of HIPAA rules but was not corrected within 30 days. The minimum penalty is $63,973 and maximum is $1,919,173. The calendar-year cap is $1,919,173.
What are HIPAA compliance requirements?
Adhering to best practices can go a long way towards helping your organization stay compliant and save yourself the trouble of paying hefty fines for HIPAA violations. Here is a simple HIPAA compliance plan outline that can help you in your compliance initiative.
- Designate a HIPAA compliance officer – By dedicating a resource to manage HIPAA compliance, covered entities and business associates can increase accountability and adherence to the framework. A dedicated HIPAA compliance officer can ensure that all compliance standards are followed.
- Develop HIPAA compliance policies and procedures – Framing HIPAA compliance policies and procedures will ensure that adequate training is provided to employees while the organization can stay up to date with the multiple standards.
- Conduct regular HIPAA compliance audits – All HIPAA-compliant organizations have one thing in common — they all perform regular HIPAA compliance audits. The compliance audits check for both technical and administrative safeguards during the periodic checks.
- Implement safeguards and remediation plans – Although cyberattacks are inevitable, you can have plans in place that ensure you adhere to the HIPAA Breach Notification Rule.
- Annual HIPAA training – Hold training at least annually to stay updated with the HIPAA Privacy Rule and HIPAA Security Rule.
- Investigate and report HIPAA violations – If a violation is flagged during a routine compliance audit, your organization must investigate and resolve the found violation(s) to ensure you stay fully HIPAA compliant.
- Manage business associates – Have vendors sign a Business Associate Agreement before they start work and have access to protected health information (PHI). Ensure that the business associate holds annual training for its employees to remain compliant with the administrative safeguards, security policies and privacy procedures.
- Document all HIPAA compliance efforts – To ensure greater transparency and accountability, organizations must log and record everything related to HIPAA. Doing this manually can be challenging for a HIPAA compliance officer. This is where HIPAA compliance software can help. It can save time, produce the required documentation and reduce the effort required for compliance preparation.
What is HIPAA compliance software?
HIPAA compliance software is an application or service that assists you through your compliance efforts. It provides a framework for covered entities and business associates to become HIPAA-compliant and ensures your organization stays compliant by performing and documenting regular compliance assessments. The tool also provides recommendations and remediations.
HIPAA compliance software can prepare a comprehensive report of all the HIPAA initiatives for your organization and prove to authorities that all steps were taken in good faith to comply with HIPAA.
Ensure HIPAA compliance with Compliance Manager GRC
If you are an IT professional, you can manage HIPAA compliance effortlessly without hiring extra help or requiring extensive knowledge of regulatory standards.Through Compliance Manager GRC, MSPs can provide robust compliance and enhanced IT security that doesn’t cost an arm and a leg.
Find out more about Compliance Manager GRC and how it can help you manage HIPAA and a host of other mandated regulations. Request a demo today.