HIPAA compliance can be a confusing topic. You have to follow a myriad of rules
, and if you’re not careful, you can easily find yourself on the wrong side of the law.
This guide will tackle some of the most common HIPAA questions and provide the steps you need to take to comply with HIPAA rules.
Note: HIPAA compliance doesn't have to be hard. With EasyLlama, our bite-sized HIPAA compliant training videos can get your entire organization "in the know" to avoid any hefty penalties. Get in touch with us today to avoid fines.
Why was HIPAA created?
The Health Insurance Portability and Accountability Act, which came into effect in 1996, protects the privacy and security of protected health information (PHI). It was designed to safeguard the confidentiality, integrity, and availability of protected health information (PHI).
- Confidentiality: PHI is only available to those who are authorized.
- Integrity: PHI must be accurate, complete, and unaltered.
- Availability: PHI cannot be physically or electronically destroyed, tampered with, or otherwise compromised to jeopardize its availability.
What is Protected Health Information under HIPAA?
Under the HIPAA act, PHI is considered any individually identifiable health information related to the past, present or future physical or mental condition of an individual.
It can also include demographic information that links directly to such health information. This means that any data collected by a doctor, hospital, clinic, pharmacist, and health plan falls under the protection of HIPAA.
What are PHI identifiers?
PHI identifiers include:
- Names and addresses.
- All elements of dates related to an individual's birth, admission to a healthcare facility, or date of death.
- Telephone numbers.
- Fax numbers.
- Electronic mail addresses.
- Social Security Number (SSN).
- Medical record numbers.
- Health plan beneficiary numbers.
- Account numbers.
- Certificate/license numbers.
- Device identifiers and serial numbers.
- URLs or IP addresses.
- Biometric identifiers (including finger and voice prints).
What is ePHI?
ePHI stands for Electronic Protected Health Information. ePHI is PHI that has been created, received, maintained, or transmitted electronically.
What exactly is HIPAA Compliance?
HIPAA compliance is the act of being in accordance with HIPAA regulations, standards, and implementation specifications. This means that entities are following HIPAA’s policies to meet its standards for data security and privacy. Read our resource for what to do if a HIPAA certificate expires
Who needs to comply with HIPAA?
- Covered Entities,
- Business Associates
- Business Associate Subcontractors
Covered entities, which include healthcare providers, health plans, and healthcare clearinghouses., need to adhere to HIPAA laws. Healthcare providers typically include hospitals, clinics, nursing homes, doctors’ offices as well as an entity that is paid for the provision of health care.
Health plans would include those covered by the Affordable Care Act (ACA) such as private insurance companies or State Medicaid agencies. Healthcare clearinghouses are organizations that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content).
A business associate is any person or organization outside of the covered entity who performs, on behalf of the covered entity, certain defined functions or activities involving PHI.
Examples of organizations that might become business associates include administrators, claims processing organizations, billing service providers, and transcription services.
Business associate subcontractors
Business associate subcontractors are third parties who require access to PHI owned or managed by the business associate, in order to perform their duties. An example is a billing service provider that deals with accounting on behalf of the business associate.
These are third-party organizations or persons who receive access to PHI from a business associate and must sign an agreement that they will protect this information per HIPAA guidelines.
What is a Business Associate Agreement?
A Business Associate Agreement is a legal and binding contract between a business associate and another entity or person. The agreement clearly states what PHI is to be shared, how it will be used by the receiving party, and when/how it may be terminated.
What are the main HIPAA rules
HIPAA has 3 main rules that covered entities and business associates must adhere to. They include:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
What is the HIPAA Privacy Rule?
The Privacy rule applies to the use and disclosure of PHI, setting conditions for when PHI can be used or disclosed by ƒ
There are many exceptions to this rule, such as using PHI within a facility, de-identifying data sets (removing all personal identifiers), and disclosures to business associates.
The Privacy Rule also includes implementation specifications that Covered Entities must follow, such as notification of privacy practices, maintaining PHI in an identifiable form unless de-identified (which would require documentation of the removal criteria), providing access to individuals for PHI about themselves, informing individuals if their data is breached, and many more.
What is the HIPAA Security Rule?
The Security Rule
sets national standards for protecting PHI within a healthcare organization from both internal and external threats. The specific elements of the HIPAA Security Rule include administrative, physical, and technical provisions to ensure ePHI remains confidential.
What is the Breach Notification Rule?
The Breach Notification Rule requires healthcare organizations to report breaches in the security or confidentiality of PHI. Breaches are defined as intentional or unintentional access, use, disclosure, modification, or destruction of PHI that compromises the security or privacy of such information.
Is there a difference between HIPAA and HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 to promote the adoption and meaningful use of health information technology.
The HITECH Act required HHS to adopt regulations related to the privacy and security of ePHI. The HITECH act also included civil penalties for willful neglect of HIPAA rules, increased enforcement efforts
, and expanded HIPAA requirements to business associates.
What constitutes a breach of PHI?
A breach of PHI occurs when there is an unauthorized use and/or disclosure of PHI that compromises the security and privacy of such information. This includes loss of data or encryption that renders data unreadable.
What is a HIPAA violation?
A HIPAA violation
is any action that goes against the policies and procedures of HIPAA. This can include actions such as failing to keep PHI private, inappropriately accessing PHI data, improperly disposing of PHI, sending PHI via insecure methods, etc.
What is the difference between a Privacy rule violation and a Security Rule violation?
A Privacy rule violation involves an individual's PHI and a Security rule violation involves ePHI.
What are the penalties for HIPAA violations?
The four tiers that are used for the HIPAA penalty structure include the following:
- Tier 1: The covered entity claims they didn't know there was a problem and, under the exercise of ordinary caution, probably wouldn't have known.
- Tier 2: A violation that the covered entity should have been aware of but was unable to prevent even with due diligence. (but not to the level of deliberate neglect)
- Tier 3: A violation owing to “willful neglect” of HIPAA Rules, in which an attempt has been made to correct the situation.
- Tier 4: A HIPAA violation resulting from willful neglect, in which no effort has been made to correct the situation.
For tier 1 breaches, the minimum penalty is $100 for each individual whose information has been breached.
For tier 2 breaches, the minimum penalty is $1000 for each individual whose information has been breached.
For tier 3 breaches, the minimum penalty is $10,000 for each individual whose information has been breached.
For tier 4 breaches, the penalty can be as much as $50,000 for each individual whose information has been breached.
What are some common HIPAA violations?
HIPAA violations include impermissible uses and disclosures of PHI such as providing PHI when not permitted or failing to give an accounting of disclosures.
Others include physical mishandling of PHI such as spilling PHI on the floor or leaving it in a public place where others can pick it up (e.g., losing a laptop with PHI), usage of unsecured electronic communications and use or disclosure of PHI without the authorization of the individual.
Other examples of common HIPAA violations include:
• Employees emailing PHI to themselves
• Employers requiring employees to disclose their passwords for accessing PHI
• Providing PHI to law enforcement without a subpoena
How can I report a HIPAA violation?
Individuals should file a complaint with the Office for Civil Rights (OCR) - an office within the U.S Department of Health and Human Services (HHS) - after discovering a HIPAA breach, whether it's about physical paper documents or electronic files. This can be done by mail, fax, or email using the OCR Complaint Portal.
• Name of the Covered Entity
• Name and/or Address of Alleged Violator (if known)
• Your name and contact information
• A description of the alleged violation, the date and time it occurred, and any evidence you may have.
What happens if there is a HIPAA violation?
Evidence of a HIPAA violation is investigated by the OCR. The OCR will send the Covered Entity, if they agree that there was a violation, a notice of findings.
The OCR may take corrective action against entities who are found to have violated HIPAA which include:
• Refunds to patients for their medical expenses (if unlawfully charged)
• Notifying individuals whose PHI has been breached
• Providing training on how to avoid future HIPAA violations
• Suspending or terminating employees who were involved with violations
How do I prevent HIPAA violations?
Employers can remain HIPAA compliant by ensuring their employees are familiar with the rules. Although it is possible to fire an employee immediately after they violate HIPAA, this may be counterproductive if the employer doesn't make reasonable efforts to train its workforce on how to avoid violating HIPAA.
In some cases, a record of previous violations could lead to revocation of an organization's Covered Entity status -- which is of course not desirable for most businesses.
The best way organizations can keep PHI private is by putting together strong security policies and protocols for their workforce that include:
• Using secure file sharing tools
• Ensuring laptops containing medical records are password protected
• Using strong passwords for all devices that contain patient information
• Ensuring only necessary information is transmitted over email
• Using strong encryption on mobile devices
Emails should also be sent to recipients directly rather than blasting everyone in a contact list.
At home, employees should use complex passwords and account lockouts after a certain number of failed login attempts.
Who is responsible for data breaches, the covered entity or business associate?
The organization that has custody of your protected health information (PHI) at the time of the breach is responsible, regardless if it's a Covered Entity or Business Associate.
However, once notified by an individual about a potential breach, they are required to take appropriate actions to investigate and mitigate further damage. They may not be able to find out how the breach happened, but must still do what they can to protect patient privacy.
What happens if there is no evidence of a HIPAA violation?
If no violations are found after an investigation, then you won't usually hear anything more from the OCR unless you're informed about the results of their investigation. If the OCR decides that there was no violation, then there will be no further action taken against you.
Is HIPAA's coverage worldwide?
No. HIPAA is only relevant to healthcare businesses inside the United States. Their data is required by the requirements of the organization. Patients who aren't US nationals are protected, even if they're not members of a US healthcare system.
On the other hand, non-US citizens who are part of a non-US healthcare network are not covered by HIPAA.