The Health Insurance Portability and Accountability Act (HIPAA) protects the confidentiality of personal healthcare information. When it comes to HIPAA compliance, many businesses think they are exempt if their services or operations don’t fall within the healthcare industry. However, the Department of Health and Human Services (HHS) requires any business associate that stores, processes, transmits, maintains, or in any way comes into contact with protected health information (PHI) to be HIPAA compliant.
Regardless of the industry your business falls under, if you partner with or provide a service for a covered entity, you need to comply with HIPAA laws.
What is HIPAA Compliance and who does it protect?
HIPAA was signed into law on August 21, 1996. The original purpose of the law was to ensure that employees would not lose their health coverage when changing jobs. Since then, HIPAA has been amended numerous times to protect U.S. citizens’ privacy rights and has become one of the top influential healthcare laws in the United States. Here are a few notable amendments:
- HIPAA Privacy Rule in April 2003
- HIPAA Security Rule in April 2005
- HIPAA Enforcement Rule in March 2006
- HITECH Act in February 2009
- Breach Notification Rule in September 2009
- Final Omnibus Rule in March 2013
These amendments have shaped HIPAA into one of the United States’ most extensive privacy compliance laws. What began as a law intended to help U.S. citizens obtain health coverage has expanded into an all-encompassing law that protects many healthcare rights, including U.S. citizens’ healthcare data privacy.
Non-compliance can result in substantial financial penalties and even criminal proceedings depending on the severity of the case — which is why it is crucial to get familiar with HIPAA requirements and protect any sensitive healthcare data your organization comes into contact with.
Important HIPAA terminology you need to know
As we break down the major rules of HIPAA and who the law applies to, you will want to become familiar with a few key terms that are frequently used in HIPAA law verbiage.
- Business associate: A person or organization who performs a function or provides a service involving the use or disclosure of PHI on behalf of a covered entity. For example, this could be a telecommunications provider that provides phone service to a healthcare organization or a third-party administrator that assists with health plan claims processing.
- Covered entity: Any business entity that must comply with HIPAA regulations, which includes healthcare providers, health plans, and healthcare clearinghouses.
- Protected Health Information (PHI): In a nutshell, this is healthcare data that HIPAA protects. PHI includes individually identifiable health information, such as medical history, demographics, insurance information, and any other type of data used to identify a patient or provide healthcare services or healthcare coverage.
- Electronic Protected Health Information (ePHI): This is PHI in electronic form. An example is a digital copy of a lab test. Since there are greater opportunities for unauthorized disclosure of PHI in electronic form, it is called out in the Technical Safeguards rule of the HIPAA law with specific guidelines on how ePHI should be protected.
Who does HIPAA law apply to?
Covered entities must comply with HIPAA laws. Where things get a little more interesting, and at times complex, is when a covered entity engages with a business associate that is involved with PHI — whether it’s having access to, processing, maintaining, or coming into any sort of contact with protected PHI.
Once that engagement is formed, business associates must also comply with HIPAA laws. That means even if an organization doesn’t directly collect PHI from patients, they still need to abide by HIPAA laws if they are engaging with a covered entity that involves the use of or contact with PHI. Some examples of a business associate engagement are:
- A telecommunications company that provides voice and SMS services for a healthcare practice (voicemails, text reminders, call recording cloud storage, and more that may contain sensitive PHI)
- A software company that provides its product or service to a healthcare facility and has access to PHI
- A third-party administrator who helps process health insurance claims that contain PHI
The HIPAA Privacy and HIPAA Security Rules
The HIPAA Privacy Rule guides covered entities and business associates on how PHI should be disclosed. This rule requires that covered entities or businesses receive permission from patients before they can use personal information for marketing, fundraising, or research purposes. It also grants patients the right to withhold healthcare-related information from health insurance providers when their treatment is privately funded.
The HIPAA Security Rule speaks more directly to ePHI and provides instruction on how ePHI should be processed and stored. Within this rule are three vital security safeguards:
- Administrative Safeguard: Covered entities/business associates must create policies and procedures designed to show how the entity will comply with HIPAA.
- Physical Safeguard: Covered entities/business associates must control physical access to areas of data storage to protect against unauthorized disclosure.
- Technical Safeguard: Covered entities/business associates must protect digital communications containing PHI when transmitted over open networks.
Other important HIPAA amendments
As mentioned, other amendments were signed into law that built on the foundation of HIPAA and helped to reinforce the HIPAA Privacy and Security Rules. The Enforcement Rule, for example, gave the HHS the ability to investigate complaints made against covered entities for failing to comply with the Privacy Rule. It also gave the HHS the power to fine covered entities for ePHI breaches that were a result of not following the HIPAA Security Rule safeguards.
Similarly, both the HITECH and Breach Notification Rule expanded on the HIPAA Privacy and Security Rules and increased the risk of violation. HITECH ensures that business associates of HIPAA-covered entities were directly accountable for HIPAA violations. The HIPAA Breach Notification Rule requires covered entities to notify individuals when their PHI may have been exposed or compromised.
The Final Omnibus Rule did not introduce new or distinctive legislation but instead continued to fill in the gaps of previous amendments. A significant gap that this rule filled was the requirement for covered entities and business associates to follow specific encryption standards for an additional safeguarding layer in the case of a data breach.
All of these amendments seek to help patients regain control over their healthcare data and are built on the fundamental requirement of data privacy.
What are the consequences of HIPAA violations?
The consequences of a HIPAA violation will vary depending on the nature of the violation, the level of harm caused by the violation, the number of patients impacted by the violation, whether or not action was taken to try to correct the violation, and whether or not the covered entity exercised due diligence to try to prevent the violation.
Based on those factors, covered entities or business associates who violate HIPAA may face:
- Penalties that range from $100 to $50,000 per violation or patient record, up to $1.5 million per year
- Criminal penalties with prison terms ranging from 1 to 10 years, depending on the factors involved with the violation
- Penalties or sanctions from prominent professional boards
How to ensure HIPAA compliance
The consequences of HIPAA non-compliance are not to be taken lightly. If you are a covered entity or business associate, it is essential to assess your HIPAA compliance risks and take the right steps to mitigate those risks. Here is a brief overview of risk-mitigation steps:
1. Sensitive Data Discovery
Do you know where all of your PHI lives and who has access to that PHI? Many times, PHI can inadvertently end up in places it shouldn’t be. It’s vital to have a full view of what type of data you have stored, where it’s stored, whether it’s been modified, and who has access to it.
2. Data Classification
Create a classification system that specifies the level of sensitivity for each piece of information. What type of data is fine for external use and what type of data is classified and sensitive? By creating a system and classifying each piece of data, privacy and security become much more manageable.
3. Run a Security Audit
Once you have a full view of data and it is organized, assess the security measures you currently have and determine the level of risk and likelihood of a data breach or security threat.
4. Document Findings and New Procedures
It is important to document the data protection process and any new security policies or data privacy programs implemented. If a breach or violation does occur, this provides a record that you have done your due diligence.
5. Repeat the Process
The data privacy and security landscape will continue to evolve, so your precautions and safeguards should evolve with it. Continue reviewing and updating your data privacy and security policies.
At first glance, this process can seem very labor-intensive. Simply tracking down data across multiple endpoints can be a heavy lift for security teams. Data privacy software tools, like Spirion, make it easier for covered entities and business associates to become and remain HIPAA compliant. Spirion can find sensitive PHI wherever it lives, execute automated workflows that help your team manage sensitive data, and easily monitor and understand data from a single dashboard. To see it in action, you can watch a demo here.