HIPAA, or The Health Insurance Portability and Accountability Act, is protecting sensitive patients’ information. It was established in 1996 and contains different rules which regulate how private health care data should be protected, used, and disclosed at any stage of its existence. All covered entities, business associates, and third parties that are working with sensitive data should follow these rules and protect, and secure Protected Health Information (PHI). This act affects the health industry in the US. The law consists of strict data protection rules, as far as patients’ data is very attractive information for criminals. HIPAA is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). Let’s take a look closer at definitions and rules to clarify how to be compliant with HIPAA.
HIPAA has some important definitions for understanding. Here we will describe them.
PHI or Protected Health Information is everyone’s data connected with health care. It includes information such as name, address, birth date, Social Security Number, and a lot of other sensitive data like reports about all medical treatments, mental health conditions, payments, etc.
ePHI or Electronic Health Information is the same as the PHI, but all this information is kept, transmitted, and received in electronic format.
Covered entities are everyone who works with PHI. They can be doctors, nurses, any other health staff who has access to information, health care clearinghouses, and insurance agencies. It is worth mentioning, that covered entities are responsible for reporting violations and paying fines if it takes place.
Business Associates are everyone who is providing different services for covered entities and have access to PHI, e.g. lawyers, IT companies, accountants, and other non-medical staff.
You need to know these things to understand how and with whom HIPAA compliance works.
HIPAA Privacy and Security Rules
The HIPAA Privacy Rule is a fundamental rule of the act. It applies to covered entities only, which means that every health care provider, health care clearinghouses, and other health care agencies should comply with it. It should be your first step to HIPAA compliance. This rule specifies safeguards for PHI, limits access to information, and provides conditions for usage and disclosure of private information without patient agreement. Also, patients have some special rights, e.g. request corrections of their PHI and have a copy of this information.
The HIPAA Security Rule applies only to ePHI and does not deal with the PHI transmitted orally or in writings. This rule specifies administrative and technical safeguards covered entities should implement for data protection. The Security Rule protects the confidentiality, integrity, and availability of all data that covered entities create, maintain or transmit. Moreover, there are points that claim that you need to identify and eliminate information security threats. Also, all staff of covered entities should comply with regulatory requirements . Security Rule lets you choose what solutions to implement for security measures. It depends on the size, resources, and the nature of the covered entity.
You should implement the following measures to safeguard the information:
- Technical safeguard is about protecting and granting access to the information. If you want to be HIPAA compliant you need to be sure that data is secure in all stages of existence by implementing policies and procedures. This safeguard consists of 4 categories: access control, audit control, integrity controls, and transmission security.
- Physical safeguard is about preventing physical access to the ePHI, no matter where it is placed. Only authorized persons should have access to use this information and its location.
- Administrative safeguard is about implementing policies and procedures. Privacy and security officers will be responsible for training the staff, analyzing and identifying security risks, etc.
To be compliant with HIPAA you need to understand that most of the violations are internal. If someone misplaced the paper with a patient’s information or left the workplace unlocked unintentionally – these all are still violations. Here are some common violations:
- Stolen devices with PHI or ePHI;
- Cyberattacks (malware, ransomware attacks, etc.);
- Office break-in;
- Sending PHI to the wrong person or partner;
- Discussing PHI in public;
- Posting PHI on social media.
To protect yourself you need to analyze the nature of your business and the partners you are working with. It is essential to work only with partners who are also compliant with HIPAA. It will help you to reduce the possibility of getting fines if a violation takes place anyhow.
The HIPAA Breach Notification Rule
First of all, we need to clarify what is a data breach according to HIPAA. Here we have that a breach is “an impermissible use or disclosure that compromises the security or privacy of the protected health information”. In other words, a data breach is just unauthorized access to the PHI. You can prevent data breaches by using robust security measures, training, and software detecting attacks and threats.
The Breach Notification Rule has 2 types of breaches that differ from each other in the number of affected individuals. If a breach affects fewer than 500 individuals a covered entity must notify the HHS once a year, not later than 60 days till the end of the calendar year in which the breach was discovered. Also, entities need to notify the affected individuals within 60 days since the breach took place.
If a breach affects more than 500 individuals a covered entity must notify the HHS and OCR within 60 days since the breach was discovered. In addition, you need to notify the local law enforcement agencies. Moreover, all meaningful breaches are posted on the U.S. Department of Health and Human Services Portal.
The System of Fines and Penalties
No matter how well prepared you are for HIPAA compliance, you should always be aware of fines and penalties. HIPAA has 2 categories of penalties: Reasonable Cause and Willful Neglect. The minimum sum of the Reasonable Cause violation is $100 per incident, and the maximum sum for both cases is 50000$ per incident.
The sum depends on your knowledge about a breach and the amount of neglect. If you did not know about the violation and could not prevent it, the minimum sum is $100 per violation. The next tier is when the entity should have been known about the violation, but could not have prevented it for some reason. This will cost the entity up to $50000. If the entity was negligent and did not correct the violation in 30 days, the minimum fine will be $50000 per violation. Moreover, there can be a penalty in the form of imprisonment.
HIPAA and COVID-19
Since the pandemic, the situation in the health care industry has changed. And HIPAA has changed too. There are new bulletins, guidance, and other different things to help entities and business associates to conduct compliance at this time. The most important thing for compliance at that time is remote work and telehealth. PHI is kept in different places, even in patients’ devices. That is why the penalties and fines were suspended for a time.
But no matter this fact, all medical providers should secure patients’ information and use supplementary measures to protect sensitive information. You need to review all procedures and policies to reduce the risk of a breach for that time. Also, active education and training of the staff for rules on how to protect PHI when working from home will help you reduce the chances of a data breach. It may be additional training to the annual must-have. Moreover, you can implement Two-Factor Authentication or biometrics for devices with PHI.
HIPAA is one of the most strict and complex compliances protecting sensitive data. It was created especially to keep patients’ PHI private, no matter what. To be compliant with HIPAA you need to have writings of everything. You need to document all breaches, every organization with whom PHI is shared. Also, you need to have remediation plans and you should document every gap that was fixed and dates when it was done. Our Datasunrise Database Regulatory Compliance (DDRC) will help you to be compliant with most acts and laws, including HIPAA. Our masking feature obfuscates sensitive data, so cybercriminals will not have the original information. Also, we have a vulnerability assessment that lets you find and cure vulnerabilities to escape some cyberattacks. With a database audit, you can monitor database activity and give different levels of access to it. Moreover, in DataSunrise we can find and hide sensitive data everywhere.