HIPAA (The Health Insurance Portability and Accountability Act of 1996) comprises a set of national regulatory standards. The purpose of HIPAA is to ensure that protected health information (PHI) in medical records and other healthcare data is appropriately collected, stored, used, and disclosed only to those authorized to access it. There have been amendments to HIPAA, and additional acts passed since 1996, notably the Health Information Technology for Economic and Clinical Health Act in 2009 (the HITECH Act) and the HIPAA Omnibus Rule in 2013. We will refer to all of these collectively as the HIPAA regulations.
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is responsible for auditing and enforcement actions for any violations under HIPAA. The HIPAA regulations are complex, but ignorance of them is not a valid defense against enforcement actions by the OCR, especially if there is a breach in PHI data administration.
Before we dive into an overview of HIPAA and what is required to comply, we will highlight that Critical Insight has an expert HIPAA Security practice with experienced consultants. They provide comprehensive HIPAA Security Risk Assessments and advice to organizations operating in or adjacent to the healthcare sector, including Business Associates. The HIPAA Security rule deals with a specialized case for PHI – electronic Protected Health Information (ePHI) which can be any PHI stored, processed or transmitted electronically.
As you'll see below, HIPAA compliance is complex. Critical Insight can assist you in getting your operations and processes to the level required for HIPAA compliance, and maintaining them at that level over time.
The HIPAA regulations related to three groups of organizations in the healthcare industry that handle PHI.
Covered Entities - The first group that HIPAA applies to are known as Covered Entities. This group includes all healthcare organizations such as healthcare providers, health plan providers, and healthcare clearinghouses who create, handle, or transmit PHI in their everyday operations. Including both paper PHI and electronic Protected Health Information (ePHI).
Individual healthcare professionals who are working in hospitals or other settings are not Covered Entities under HIPAA. The organization that has employed them is the Covered Entity for compliance purposes.
Business Associates - The second group that HIPAA applies to is Business Associates. These are service provider businesses or individuals who supply services to a Covered Entity that involves the Business Associate having any access to the PHI controlled by the Covered Entity. Examples of Business Associates include individuals or companies providing services in legal, actuarial, accounting, IT consulting, data management, administration, finance, or any other sector that has contact with PHI.
The 2013 HIPAA Omnibus Rule (see below) defined the role of Business Associates under HIPAA and amended the concept of Business Associate Agreements (BAAs). Before they can access PHI, a BAA must be in place between the Covered Entity and the Business Associate. This BAA must state what PHI the business associate will access, how they can use it, and how it will be returned or destroyed once the task they needed it for completes. While PHI is in a Business Associate's control, they have the same HIPAA compliance obligations as the Covered Entity.
Healthcare Clearing House - The HIPAA regulations define a healthcare clearinghouse as a public or private entity such as billing services, repricing companies, community health management information systems or community health information systems, as well as value-added networks and switches, that process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction or receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
HIPAA compliance involves all organizations who fall into either of the two groups outlined above understanding, implementing, and following a defined set of rules.
The HIPAA requirements are sometimes vague, but at a high level, they require every Covered Entity and Business Associate to ensure that technical, physical, and administrative protections are in place to safeguard all PHI.
There is no official certification that healthcare providers can achieve to show HIPAA compliance. Instead, each organization must implement and adhere to the Security rule and document the activities undertaken to comply in the form of a Security Risk Assessment.
HIPAA Security Rule
The HIPAA Security Rule outlines the standards that all providers must use to protect ePHI at rest, in processing and in transit over a network.
Required vs. Addressable Standards – A required control is just that, required and must be in place to meet HIPAA compliance. Addressable requirements are subject to analysis via risk assessment to ensure that control is appropriate for the size and character of the organization. If a controls impact and cost are greater than the risk they control is meant to address, you can use the risk analysis to argue that the control is not needed, or a compensating control can be used in its place.
The Security Rule has three subsections:
Administrative Safeguards Section - Contains the policies and procedures that need to be implemented to bring the other rules together in a coherent whole. These policies and procedures are crucial to HIPAA compliance. They require that a Security Officer is designated to implement them and be responsible for protecting ePHI.
The Security Officer is responsible for ensuring that the policies to prevent, detect, and respond to ePHI data breaches are in place. They also need to conduct HIPAA Security Risk Assessment to ensure adherence to the HIPAA Security Rule requirements. These audits need to be performed regularly (preferably, at least annually). Organizations must fully document any gaps or discrepancies and detail a Remediation Action Plan (RAP).
The Administrative Safeguards section includes these Implementation Specifications:
Implementation Specification |
Required or Addressable? |
Conducting risk assessments |
Required |
Introducing a risk management policy |
Required |
Training employees to be secure |
Addressable |
Developing a contingency plan |
Required |
Testing of contingency plan |
Addressable |
Restricting third-party access |
Required |
Reporting security incidents |
Addressable |
Physical Safeguards Section - This includes specifications that focus on controlling physical access to ePHI. The location where ePHI is stored can be data centers, local server rooms in healthcare providers, on public Cloud infrastructure, on medical devices, and on endpoint devices such as lab and ward PCs, tablets, and any other device capable of storing ePHI.
The Physical Safeguards section includes these Implementation Specifications:
Implementation Specification |
Required or Addressable? |
Facility access controls must be implemented |
Addressable |
Policies for the use/positioning of workstations |
Required |
Policies and procedures for mobile devices |
Required |
Inventory of hardware |
Addressable |
Technical Safeguards Section - Stipulates that ePHI must have technical controls to protect ePHI at rest on servers and devices, and when transmitted over the network. Integrity controls must also be in place to ensure nobody can alter ePHI data without anyone knowing or without an audit trail.
The actions that need done to satisfy the items in the HIPAA Technical Standards section are standard cyber security measures and best practices. They include having strong authentication for systems access, backed by robust security policies and security controls, encryption and the ability to monitor access to ePHI. IT teams should also conduct regular risk assessments and make sure that everything they do is compliant with the HIPAA security standards and the compliance program that is in place.
The Technical Safeguards section includes these Implementation Specifications:
Implementation Specification |
Required or Addressable? |
Implement a means of access control |
Required |
Introduce a mechanism to authenticate ePHI |
Addressable |
Implement tools for encryption and decryption |
Addressable |
Introduce activity logs and audit controls |
Required |
Facilitate automatic log-off of PCs and devices |
Addressable |
The HIPAA Privacy Rule sets standards on how personal health information and other patient data in ePHI and other electronic health records (EHR) can be used and disclosed.
Data protection must be in place for all forms of PHI, including electronic, paper, and oral when it contains PHI such as name, phone number, birth date, Social Security Number, or any other personal identifier. If anyone can tie the data to an individual somehow, it's ePHI and needs safeguarding.
The Privacy rule also outlines when patients (or their designated representatives) can request a copy of their healthcare data to inspect and correct if required. The requirements for a Privacy Compliance Officer (PCO) to oversee training, documentation, and compliance outlined in the previous section are also in the Privacy Rule.
This rule requires Covered Entities to notify patients if there has been a breach where ePHI may have been exposed or stolen or any unauthorized access to toPHI. It also requires a notification to the Department of Health and Human Services at a minimum and usually also includes state regulations that require additional reporting such as reporting to each state Attorneys General who has a patient whose PHI is involved, plus they also have to inform the media if the breach affected more than 500 patient records. Breach notifications should be made without delay and no later than 60 days.
The 500-patient figure is not a cutoff for reporting HIPAA violations. Any breaches that affect fewer than 500 records still need to be reported to the HHS Office via an OCR web portal on an annual basis. Any suspected breach of ePHI must be documented in a breach risk assessment that contains the details of the event in question, the records involved, and a determination if the event is in fact a reportable event.
HSS added the Omnibus rule to HIPAA to address gaps that had come to light. It defined and clarified Business Associate's roles, outlined the requirements for Business Associate Agreements (BAAs), and required any BAAs in place prior to the Omnibus Rule to be updated and reissued.
It also implemented several parts of the HITECH Act. It introduced requirements for updated privacy policies, new rules for NPPs that patients have to be issued with and agree to, and a provision for all staff training in the new regulations.
The Enforcement Rule is where the rubber hits the road in the event of a breach. It outlines what needs doing in response, and what penalties the OCR can levy if an investigation shows that a breach was avoidable.
This rule gives HSS the power to enforce the Security and Privacy rules. It also provides the OCR with the legal authority to investigate HIPAA complaints and non-compliance reports. The OCR can also liaise with the Department of Justice if it thinks that criminal activity has occurred in a data security breach.