Call now for cybersecurity help: 888-646-1616
Josh Ablett

What Is HIPAA Compliance?

December 1, 2020

HIPAA compliance is an important legislative act in the United States Healthcare and Health insurance industries. It's tailored towards data privacy and safeguarding medical information. 

Initially, the introduction of HIPAA compliance was designed to improve the health insurance portability of employees when they change jobs. But the act has been updated over the years. 

If the nature of your job requires you to create, modify, and have access to protected health information (PHI), it's mandatory to comply with HIPAA rules.

Furthermore, HIPAA compliance is not peculiar to healthcare professionals, hospitals, or health insurance brokers. Any third-party organization whose nature of service allows them to access PHI also needs to comply with the HIPAA provisions. 

HIPAA Rules 

HIPAA is a set of rules included in the original ACT. These rules are flexible because they regularly update them following technological and workplace trends. 

Interestingly, the US Department of Health and Human Services (HHS) constantly sets guidelines on the right way to use, protect, and even share data. Again, HIPAA rules specify how to report data breaches. But before we discuss all the rules under HIPAA, let's quickly look at the roles of a HIPAA compliance officer. 

Who is a HIPAA Compliance Officer?

Most organizations have a HIPAA compliance officer who handles all HIPAA related matters. The amount of work this person does depends on the volume of protected health information (PHI) his organization creates, uses, and maintains. Generally, the officer is responsible for drafting the HIPAA compliance policy and procedure.

In larger organizations, a HIPAA compliance officer's duties are split between a privacy officer and a security officer. 

The HIPAA privacy officer is responsible for developing a HIPAA compliant privacy program. But if a compliant privacy program already exists, the HIPAA privacy officer will enforce the privacy policies to protect PHI's integrity. 

He also handles regular employee privacy training, carries out risk assessments, and develops HIPAA compliance procedures when necessary. 

The HIPAA security officer, on the other hand, develops security policies, implements security procedures, training, risk assessments, and monitoring compliance. In a nutshell, the HIPAA security officer focuses on strict compliance with the security rule's administrative, physical, and technical safeguards. 

Summary of HIPAA Rules 

What Is HIPAA Compliance?

Before you can develop an actionable HIPAA compliance policy for your company, you need to understand its rules. So, here is a summary of all HIPAA rules;  

The Privacy Rule of 2000

The HIPAA privacy rule of 2000 helps to restrict the use and disclosure of protected health information (PHI). It gives guidelines on the circumstances in which you can share health information. 

According to the rule, any individual or entity that shares unauthorized health information (it doesn't matter whether it's by accident or intentionally) could incur a serious financial penalty.

It can also be a potential criminal liability if the covered entity or organization doesn't have enough safeguards to prevent a breach. 

The Security Rule of 2003

The HIPAA security rule of 2003 helps to ensure the security and integrity of electronically protected health information (ePHI). The rule consists of administrative, technical, and physical safeguards. Each of these safeguards has "required" and "addressable" implementation specifications. 

Before any health organization or covered entity is in full compliance with HIPAA, they must implement "required" safeguards. 

But "addressable" safeguards give covered entities or health organizations the option to either implement them or an alternative that serves the same purpose. 

However, if you think, it's neither reasonable nor appropriate to implement "addressable" safeguards, just document. But never ignore any "addressable" safeguard, it could result in serious breach of data. 

Below are examples of "required" and "addressable" safeguards; 

Technical Safeguards:

Required:

  • Establish a means of access control 
  • Have audit controls and activity logs

Addressable:

  • Establish a method of authenticating ePHI
  • Have a reliable tool for encrypting and decrypting data. Read our article on HIPAA data encryption to learn more about it. 
  • Implement automatic log-off of PCs and mobile devices; 

Physical Safeguards

Required:

  • Implement policies for the use/positioning of workstations
  • Establish policies and procedures for mobile devices

Addressable:

  • Carryout inventory of hardware
  • Facilitate access control 

Administrative Safeguards 

Required:

  • Establish a risk management policy 
  • Carry out a risk assessment
  • Develop a contingency plan
  • Try to restrict third-party access.

Addressable:

  • Establish a password management policy
  • Test your contingency plan
  • Implement a workforce clearance procedure

The Breach Notification Rule of 2009

This rule gives covered entities and health organizations guidelines to follow when there is a breach of ePHI/PHI (electronically protected health information). A breach in this context refers to an impermissible use or disclosure under the privacy or security that compromises data security or patient privacy. 

By the provision of this rule, Covered Entities must notify the affected individuals whenever there's a breach of ePHI/PHI. Also, the rule mandated Business Associates to notify Covered entities if a breach occurs. 

Lastly, the rule requires covered entities and health organizations to notify people affected by the breach no later than 60 days. And they must advertise the breach on their website for 90 days after discovery. 

As a health organization, the best way to avoid a breach of PHI is to work with HIPAA shredding companies.

The Enforcement Rules of 2006

The enforcement rule of 2006 addresses a non-compliance with the HIPAA privacy and security rules. It empowers the Department of Health and Human Services to investigate complaints against Covered Entities that fail to adhere to the privacy rule. 

However, if the security breach of PHI/ePHI is as a result of the covered entity failure to implement established safeguards in the security rule, the enforcement rule of 2006 enables the HHS to sanction the entity. 

So, the rule gives HHS the power to bring criminal charges against Covered Entities who constantly violate HIPAA. And those who fail to introduce corrective measures within 30 days of the violation. 

The Final Omnibus Rule of 2013

The omnibus rule contains the most recent updates of HIPAA. Even though it doesn't contain any new legislation, it helps to remove ambiguity from the existing HIPAA and Hitech regulations. 

The specification of encryption standards and the introduction of new administrative standards are perfect examples of the Omnibus Rule. These two reflect how technological advancement changes the way PHI is transmitted and shared between healthcare professionals. 

Furthermore, the final omnibus rule contains updates that clarify the ambiguous use of language in the security and privacy rules. For instance, the definition of "workforce" was clarified with terms like employees, trainees, volunteers, and other people directly or indirectly involved in the performance of work for a covered entity. 

What Are the Keys to success for HIPAA compliance

One of the frequently asked questions about HIPAA is "what is the key to success for HIPAA compliance" The answer lies in implementing an effective compliance program. And below are components of a well prepared Hipaa compliance program; 

#1. Self Audit

Covered entities are expected to measure their organizations' compliances with HIPAA by completing an annual self-audit. Here are six required audits for HIPAA covered entities;

  • IT risk analysis questionnaire
  • Security standards
  • HITECH Subtitle D
  • Asset and Device
  • Physical site
  • Privacy assessment.

#2. Gap Identification

After completing the self-audit process, covered entities will be able to identify areas lacking in their safeguards. Once gaps are identified, remediation plans will be put in place to address deficiencies. 

 

#3. Policies and Procedures 

Policies and procedures are key to success for HIPAA compliance. They specify how to use and disclose protected health information. So, covered entities must implement policies and procedures that are peculiar to their business process. 

Once you fail to customize policies and procedures for your organization, your organization will be vulnerable to a breach of PHI. 

#4. Employee Training and Tracking

Health organizations and covered entities should regularly train their employees on policies, procedures, as well as HIPAA standards. Also, every employee that attends the training program must legally attest to have read and understood the training materials. 

What is the Importance of HIPAA compliance in Healthcare

It's important to comply with HIPAA because it ensures that all healthcare providers and covered entities implement multiple safeguards to protect sensitive personal and health information. 

Of course, no healthcare organization will carelessly expose sensitive health data or steal health information. But HIPAA requires them to implement safeguard data. And there are repercussions if any of them fail to implement safeguard. 

Below are the Importance of HIPAA compliance in Healthcare; 

  • HIPAA Drives Patients Transparency. Patients are more transparent with their health information once they are certain that their health information is protected. 
  • Non-compliance is costly. In most cases, violation of HIPAA is unintentional. But there's no excuse for the violation because it could cost a covered entity or health organization as high as $1.5 million. 
  • Consistently complying with HIPAA regulations boost covered entities and health organizations' reputation. 

Certainly, HIPAA is a complex piece of legislation. And it's technically difficult and costly to follow every piece. Most health organizations and Covered entities make a series of HIPAA Mistakes every day. So, it's advisable to get legal counsel to come up with a compliance program that's perfect for your organization. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved