Imagine it is 1996 again. Do you know what happened that year?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted.
You might not consider it one of the most notable events, but, in fact, it is the one that changed the healthcare setting forever. These companies and providers that found a way to comply are today's leaders.
But before revealing the massive impact of this act, we should first define what it stands for. HIPAA sets standards for protecting sensitive patient health information (in the US) from being disclosed without the patient's consent or knowledge.
It applies to:
- healthcare providers
- health plans
- healthcare clearinghouses.
HIPAA regulations are mandatory for all entities holding the health information of US Citizens, no matter where the business is.
Sensitive patient data (individually identifiable health information) consists of 18 identifiers, which include the following: (1)
- Addresses (including subdivisions smaller than states, such as street, city, county, and zip code)
- Dates (except years) directly related to an individual (birthdays, admission/discharge dates, etc.)
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
And now comes the primary question.
Why is HIPAA so important?
As technology evolves, it leads to growing exposure to personal information. HIPAA actually regulates the course of which digital health technology should develop. This act defines who can access and use protected health information (PHI). Healthcare organizations that threaten to expose patient data at risk are those that might face serious consequences.
This article is one of these well-built HIPAA compliance resources that will come into practice as soon as you read it! To guide you, we have prepared a HIPAA compliance checklist, so you can be one of those entities that will maintain safe operations and see growth.
HIPAA covered entity: a must for the healthcare industry
A "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA) is any entity that electronically transmits or stores protected health information (PHI).
Healthcare providers are individuals or organizations that provide healthcare services (doctors, nurses, clinics, hospitals, and nursing homes). Health plans include entities that pay for or arrange healthcare services, such as health insurance companies, HMOs, and government programs such as Medicare and Medicaid.
Healthcare clearinghouses are organizations that process non-standard health information they receive from another entity into a standard format.
All these entities must also comply with HIPAA compliance requirements for notice of privacy practices, individual rights, and breach notification. It is vital to note all the organizations that fall under the business associate category.
Usually, these are companies that act on behalf of healthcare providers. For instance, a software development company building a health management application for a hospital would be considered a business associate.
Identifying the covered entities category you fall under shows which HIPAA requirements you should follow. It is a good idea to hire a HIPAA compliance officer who will be responsible for privacy policies related to sensitive data. Thus, you ensure HIPAA compliance when utilizing protected health data, especially when developing a high-budget project.
Be cautious with the HIPAA Security Rule
The next on the HIPAA checklist are the security rules. As they lay the basis for achieving HIPAA compliance for digital health providers, you should put time and effort into understanding and applying them to your organization.
While the HIPAA privacy rule stands for the use and disclosure of all types of health information, the security rule sets standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The Security Rule applies to all covered entities that create, receive, maintain, or transmit ePHI. It requires HIPAA-covered entities to implement physical, administrative, and technical safeguards to protect ePHI:
These include physical measures entities use to protect against unauthorized access to ePHI, such as locked file cabinets, security cameras, and restricted access to computer systems. Healthcare organizations are also required to maintain a record of access to ePHI.
Technical measures are the next step healthcare entities perform to mitigate the risk of unauthorized access to ePHI.
One of the key security principles, features, and measures include:
- Role-based access control
- Data encryption
- Malware detection systems
- HIPAA audit and monitoring
- Integrity (policies and procedures)
- Multi-Factor authentication
- Cohesive passwords, etc.
Administrative safeguards consist of all the policies, procedures, and privacy and security rules for maintaining ePHI and training employees to follow these policies and procedures. Healthcare entities should perform periodic risk assessments, implement sanctions for HIPAA violations, and handle and report security incidents.
The safeguards above are a must for completing your HIPAA security rule checklist. Only after ensuring that your organization covers all of them can you feel relieved that you maintain safe operations.
Prepare for the HIPAA Data Breach Notification Rule
Do you know what happens when you experience a data breach?
Trust me, you do not want to! However, like it or not, you should be aware of the HIPAA Breach Notification Rule. It is a set of regulations that requires covered entities and business associates to notify individuals, the Department of Health and Human Services, and the media when a breach of unsecured health data occurs.
Now is the time to define what a healthcare data breach is: unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of individuals. A breach is considered "unauthorized" unless the covered entity or business associate demonstrates a low probability of PHI being compromised.
Furthermore, when a breach occurs, the covered entity must notify each individual whose PHI has been or is believed to have been disclosed, as a result of the breach. The notification must be made in written form or by email if the individual has agreed to receive electronic notifications.
The covered entity must also notify the Secretary of the Department of Health and Human Services (HHS) if the breach affects 500 or more individuals. If the breach affects fewer than 500 individuals, the covered entity must maintain a log or other documentation of the breach and provide it to the Secretary of HHS upon request.
In addition, the covered entity must also notify prominent media outlets if the breach affects more than 500 residents of a state or jurisdiction.
Watch out for common HIPAA violations
There are numerous violations of the HIPAA that organizations and individuals can commit. 5,150 data breaches have been reported to OCR between October 21, 2009, and December 31, 2022.
If this number does make you anxious, then you should add the following violations to your compliance checklist :
- Unauthorized access or disclosure of PHI. This occurs when PHI is accessed or disclosed without proper authorization. Such problems can include sharing PHI with unauthorized individuals, leaving PHI accessible to unauthorized individuals, or failing to properly secure PHI.
- Lack of safeguards. HIPAA requires organizations to have certain physical, technical, and administrative safeguards, such as policies, procedures, and measures to protect PHI.
- Failure to report a breach. Organizations are required to report any breaches of PHI to the Department of Health and Human Services and affected individuals. Failure to report a breach can result in a violation of HIPAA.
- Failure to implement a risk analysis. Organizations are required to conduct a regular risk analysis to identify potential vulnerabilities and threats and implement appropriate safeguards to protect PHI.
- Improper disposal of PHI. HIPAA requires organizations to properly dispose of PHI when it is no longer needed. This can include shredding paper records or wiping electronic devices.
- Lack of Business Associate Agreement (BAA). HIPAA requires a BAA between the covered entities and the business associates who transmit ePHI on behalf of the covered entities.
Prevent HIPAA violations by implementing the safeguards
As mentioned above, HIPAA requires covered entities to implement technical, physical, and administrative safeguards to protect personal health information.
They aim to protect:
- data integrity
- information accessibility
The Department of Health and Human Services Office of Civil Rights (OCR) is the organization that would enforce HIPAA noncriminal violations. In one calendar year, fines may hit $50,000 per violation “of the same provision”.
Examples of penalties and fines that have been assessed by the OCR include: (2)
- In 2018, Anthem Inc. paid $16 million to settle potential HIPAA violations stemming from a 2015 data breach affecting 79 million people.
- In 2019, a hospital agreed to pay $3.2 million because of a 2014 data breach that exposed the PHI of 4.5 million individuals.
- In 2020, a provider agreed to pay $2.3 million to settle potential HIPAA violations due to the 2018 data breach that exposed the data of 3.5 million people to threat.
Individuals and organizations are considered criminally liable when disclosing protected health information knowingly, aiming for commercial gain, or under pretenses. Such criminal activities result in hefty fines and imprisonment for up to 10 years.
Be familiar with penalties and fines to get management support
Do you find this specific HIPAA compliance checklist valuable? If yes, we’ve done our job to summarize this massive information in 2000 words successfully. But don’t give up on our guide and continue to read the last two paragraphs that are a must-know.
You should always be well aware of the following factors that might be considered HIPAA violations and lead to fines and penalties:
- Malicious intent (civil vs. criminal penalties)
- The degree of negligence
- Occurrence of a breach
- The number of records exposed
- Future risk because of the breach
Penalties and fines are assessed based on the level of negligence and the nature of the violation.
There are two types of penalties for HIPAA violations and security incidents: (3)
- Civil penalties. These penalties can be assessed for HIPAA violations that are not considered to be willful neglect. They range from $100 to $50,000 per violation, with an annual maximum of $1.5 million.
- Criminal penalties. The criminal penalties for violating HIPAA mean that if an organization or individual knowingly and improperly accesses, uses, or discloses protected health information, they can face fines and even jail time. They can range from $50,000 to $250,000 and up to 10 years in prison.
It is important to note that these penalties and fines are designed to be a deterrent, and they can be costly, not only in terms of financial penalties but also in terms of damage to reputation and loss of customer trust.
This is why you should turn to a reliable healthcare consultant who will mitigate the risk of a data breach that might cause irreversible harm to you and your organization.
Perform Regular HIPAA Risk Assessments
So far, we sincerely hope you understood two things:
- You should 100% comply with HIPAA
- If you don't meet compliance, you are highly likely to lose money
Here comes this crucial measure you can undertake to prevent violations: risk assessment. HIPAA Data Breach Risk Assessment is a systematic process of evaluating the likelihood and impact of a data breach in electronic protected health information.
This risk assessment process includes evaluating the likelihood of a data breach resulting from unauthorized access, disclosure, or use of ePHI.
The HIPAA risk assessment process helps covered entities and business associates to identify and prioritize areas for improvement in their security management processes. It also helps them to implement appropriate security measures to protect ePHI and to comply with the HIPAA Security Rule.
The risk assessment should be ongoing and should be reviewed and updated regularly in response to changes in technology, business, or HIPAA compliance processes.
Weighing up the points, we can conclude that maintaining HIPAA compliance is a must, as this regulation dictates the development of healthcare technology. Only those healthcare entities that meet HIPAA compliance can expect future growth.
However, implementing safeguards might be challenging if you are new to the industry. This is why you might need help from experts in the field who can advise you through developing the project or even build the project themselves for you.
Do not hesitate to research and find the most appropriate IT partner that will deliver the desired business outcomes and guide you through your HIPAA compliance journey