HIPAA, which is a set of rules that govern the personal information and privacy of individuals who receive healthcare services from covered entities, is now more essential than ever before in the healthcare sector. Hospitals, clinicians, and insurance firms all need to be HIPAA compliant to protect patient's private and sensitive information.
In this article, we'll walk you through the following:
- A brief introduction to HIPAA
- What is Protected Health Information?
- Who needs to be HIPAA Compliant?
- What are the 5 Main HIPAA Rules?
- What are some of the identifiers for PHI?
- What is required for HIPAA Compliance?
- Who isn't required to comply with HIPAA?
Note: If you want a sure-fire way to stay compliant, try our HIPAA training program today. We'll make sure you know everything about the laws in place to avoid penalties or violations.
Contact us for a free trial today.
Let's get started.
A brief introduction to HIPAA
HIPAA stands for Health Insurance Portability and Accountability Act
. Created in 1996, it is a set of federal standards that protects the privacy of people's health information. Under this act, healthcare providers are obligated to ensure that all patients' protected health information (PHI) remains private. One way physicians can fulfill this obligation is by ensuring their practice is compliant with the HHS Office for Civil Rights (OCR) standards.
What is Protected Health Information?
In the healthcare setting, PHI includes any information related to past medical history and treatment, current health condition and status, and personal demographic information. It also includes billing records and other documentation where someone's name is linked to their medical record number or diagnosis code. It should also follow the "minimum necessary rule
Who enforces HIPAA?
The Department of Health and Human Services (HHS) is the government agency responsible for HIPAA enforcement
. They work with state attorneys general to enforce HIPAA's provisions. In addition, HHS can conduct voluntary compliance reviews as well as impose civil money penalties on those who violate HIPAA laws
Who needs to be HIPAA Compliant?
If you work in healthcare, either as an employee or a contractor, you need to be compliant with the HIPAA privacy rules. This includes any organizations that provide health insurance (health plans), healthcare clearinghouses (companies that process data received from another entity), and Healthcare providers who transmit claims electronically.
It doesn't matter if you're at a private practice, public clinic, hospital outpatient department, blood bank, pathology lab...you are required to comply with these standards.
If your organization does not follow these rules, they will likely be fined by the government if they get caught.
What are covered entities?
A covered entity is an organization that collects, generates, or transmits personal health information electronically.
This includes any person or organization that provides healthcare to patients. A medical clinic, hospital outpatient department, and an urgent care provider are all included in this definition. Any place where a patient gets treatment is automatically covered under HIPAA.
What are business associates?
Business associates provide services for a healthcare organization.A business associate is any organization that comes into possession of protected health information during the course of work it has been contracted to perform on behalf of a covered entity.
Examples of business associates include:
- Medical Billing Companies
- Software Developers
- Website Hosting Company
Each Covered Entity needs to have a Business Associate Agreement in place with their entities to ensure compliance.
A Business Associate Agreement is a contract which details the responsibilities of each party involved in this relationship, including how PHI is protected.
What are standard privacy practices?
The U.S Department of Health & Human Services released 18 identifiers, in their Privacy Standards, that should not be used when documenting patient information. Among these include:
-Names (except for family or friends who need to be in the loop)
-Geographic subdivisions are smaller than a state, except where they identify states, counties, or cities.
-All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date. *Please note that a person's age alone is not considered personally identifiable information.
-Telephone numbers, fax numbers, e-mail addresses, Web site URLs*
-Social Security numbers (matched with any of the other identifiers listed here)
What is required to be HIPAA Compliant?
Covered Entities are responsible for implementing policies and procedures to protect PHI. They need to write these down in official documentation that everyone should follow. This includes:
- Who needs access to PHI? These individuals must be trained on all privacy policies and procedures before getting access to this data.
- How long do we keep PHI maintained? Covered entities need to properly dispose of this data once it's no longer needed. Employees who work with PHI need to be trained on what to do with PHI when they leave the company.
- Staff training is required for everyone who handles PHI, at least annually. This should include all staff members involved in using PHI, even the IT department.
- All physical documents related to patient information must remain in a secured space so nobody outside of this area has unapproved access.
- Business Associate Agreements need to be in place with all business associates who access PHI, including the subcontractors of these business associates.
HIPAA compliance also includes employees being disciplined if they violate privacy policies. They should face consequences that are strong enough to discourage this from happening again.
For example, an employee might be terminated if caught inappropriately looking up information on a patient who isn't their own...or even fined by the government for violating HIPAA rules
. It's important to realize that these laws are meant to protect patient privacy and confidentiality, and not hinder healthcare providers or place too much burden on them.
What are the 5 Main HIPAA Rules?
There are regulations that you need to follow to be HIPAA compliant. Most of these fall under four categories: Privacy, Security, Electronic Data Interchange (EDI), Unique Identifiers, and Breach Notification rule.
Here's a rundown of each one:
HIPAA Privacy Rule
These deal with how individuals can access their own PHI and who has a right to use or disclose PHI without prior consent from an individual. Essentially this rule lets people request their medical records any time they want to see them. In addition, entities covered by this law cannot disclose someone's PHI without authorization from the person
HIPAA Security Rule
The Security Rule for HIPAA
includes the policies and procedures you must follow to keep PHI secure. The law requires that "reasonable" administrative, technical, and physical safeguards are in place so that only authorized individuals have access to their information. You cannot use or disclose an individual's PHI unless it is required for treatment, payment, or health care operations. For example, access measure controls make Zoom HIPAA compliant
HIPAA Electronic Data Interchange (EDI) Rule
This has to do with transactions like claims forms moving back and forth electronically between providers/insurance companies/etc. They need to be encrypted securely under HIPAA standards.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule is an amendment to the HIPAA regulation that was passed in order to apply HIPAA to business associates as well as covered entities. The HIPAA Omnibus Rule stipulates that business associates must be HIPAA compliant and specifies the conditions surrounding Business Associate Agreements (BAAs).
HIPAA Unique Identifiers Rule
Every organization that uses electronic transactions must use standard unique identifiers throughout their whole system (i.e. not having a different identification number for each patient you see, so that the system knows who is being treated when).
HIPAA Breach Notification Rule
This deals with how you're supposed to notify those affected by a breach of unsecured PHI. Health providers must report breaches of unsecured PHI to the OCR and to those individuals whose unsecured PHI has been breached so they can take steps to protect themselves from fraud and identity theft.
Who isn't required to comply with HIPAA?
Remember, many businesses and people are not required to follow HIPAA, and there are times when health information may be accessible to these parties. As we've mentioned earlier, the HIPAA act applies only to covered entities and their business associates.
Here are some examples of those who aren't covered by HIPAA but who may have access to health information:
- Workers' compensation insurers
- Administrative organizations, and businesses (unless they are otherwise considered covered entities)
- Social Security and welfare agencies that deliver benefits
- Automobile insurance plans with health benefits
- Gyms and fitness centers
What is considered a HIPAA violation?
A HIPAA violation occurs when someone who is not covered by the law accesses, discloses or uses PHI without appropriate authority. For example, if you had your friend help you log on to your doctor's website so that you could check your lab results and see what medications you can take while pregnant - this would be considered unauthorized disclosure of PHI.
Note that a single inadvertent disclosure does not automatically mean there has been a violation of HIPAA rules; however, it may trigger an investigation by HHS. OCR may also issue sanctions for HIPAA violations depending on how egregious the offense was (i.e., whether anyone's PHI was actually compromised). Additionally, entities covered by federal health information privacy laws are required to comply with the requirements of that law.
If you notice a HIPAA violation, you'll need to file a complaint
What are some common types of HIPAA Violations?
Even if you do not work at a health care facility, you may still encounter situations where patient information is mishandled. Common examples of HIPAA violations include:
- Giving PHI to unauthorized people
- Failing to encrypt PHI on a laptop or other portable device
- Leaving PHI lying around in the open where it could be accessed by unauthorized individuals
- Storing PHI electronically without taking appropriate safeguards (i.e. without encryption)
There are many more common types of violations, including sharing PHI with friends or family members who should not have access to your health information.
For more answers to HIPAA questions
, check out our resource.