What Are HIPAA Compliance Requirements? [Complete Checklist]
HIPAA penalties are brutal but following HIPAA compliance requirements will help you avoid them. Here is a complete step-by-step checklist to HIPAA compliance.
HIPAA compliance requirements include the following:
- Privacy: patients’ rights to PHI
- Security: physical, technical and administrative security measures
- Enforcement: investigations into a breach
- Breach Notification: required steps if a breach occurs
- Omnibus: compliant business associates
What Is HIPAA Compliance?
HIPAA is a framework developed in 1996 to outline an organization’s legal obligations to specific regulations in the Healthcare Insurance Portability and Accountability Act. These regulations set standards for critical aspects of healthcare data management, including the right of patients to have privacy, the necessity for appropriate security controls to protect private data, and the requirements healthcare organizations have if that data has been breached by a malicious third party.
Important to this framework is the notion of data protection. The physical security of data, encryption standards used to protect that data, and the procedures used to document, transmit, and store data are all critical parts of HIPAA and its underlying requirements.
Managed by the Department of Health and Human Services and the Office for Civil Rights, regulations exist to ensure the confidentiality of the private patient information in a world of electronic record keeping, digital data transfer, and (more recently) cloud services.
Some Important HIPAA Regulatory and Compliance Terms
To understand what compliance is and who it applies to, it’s important to know a few key terms:
- Covered Entity. These are the hospitals, doctors, clinics, insurance agencies, or anyone that regularly works with patients and their private data.
- Business Associate. Service providers that work closely with Covered Entities without directly working with patients. Business associates often handle private data because of their technology products, consulting, financial administration, data analysis, or other services.
- Electronic Personal Health Information (ePHI). ePHI is the legal name of private patient data stored and transmitted through electronic means. All privacy, security, and reporting rules refer to the protection and management of ePHI.
What Are the Four Main HIPAA Rules and How Do They Impact Compliance?
Four primary rules define the structure and meaning of everything related to compliance requirements:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
- The Omnibus Rule
Each rule provides a framework for one aspect of compliance and informs critical aspects of the other rules.
The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes the national standard for patients’ rights to privacy and private information. Furthermore, it sets up the framework that dictates what ePHI is, how it must be protected, how it can and cannot be used, and how it can be transmitted and stored.
An additional part of the Privacy Rule is the paperwork and waivers it requires for entities handling ePHI.
In this rule, ePHI is defined that any identifiable patient data is subject to privacy covered by the covered entity or any business associated. This is what is called “protected health information” and includes:
- Any past, present or future documentation on physical or mental conditions
- Any records about the care of the patient
- And records referencing past, present or future payments for healthcare
The rule states that the only scenarios where covered entities can disclose private health information involve very specific care, research, or legal situations. These situations are themselves incredibly narrow and subject to interpretation in a court of law.
The best rule of thumb is that when it comes to ePHI privacy, the Covered Entity and their Business Associates have an obligation to protect it.
The HIPAA Security Rule
With the definition of privacy and ePHI in place, the next step is protecting that data. The HIPAA Security Rule established the national standards for the mechanisms required to protect ePHI data. These mechanisms extend across the entire operation of the covered entity, including technology, administration, physical safeguards for computers and devices, and anything that could impact the safety of ePHI.
The controls outlined in this rule are organized into three groups of safeguards:
- Administrative. This includes policies and procedures that impact ePHI as well as the technologies, system design, risk management, and maintenance related to all other security measures. It also includes aspects of healthcare administration like Human Resources and employee training.
- Physical. Physical safeguards secure the access to physical equipment—including computers, routers, switches, and data storage. Covered entities are required to maintain secure premises where only authorized individuals can access data.
- Technical. Cybersecurity includes computers, mobile devices, encryption, network security, device security, and anything related to the actual technology of storing and communicating ePHI.
The HIPAA Breach Notification Rule
The Breach Notification Rule specifies what happens when a security breach occurs. It’s almost impossible to protect data with 100% effectiveness, and organizations need to have plans in place to notify the public, and victims of a HIPAA breach, about what has happened and what their next steps are.
The Breach Notification rule defines a series of steps any Covered Entity needs to take during a breach to stay in compliance, including:
- Notifying individuals impacted by a breach. Covered entities need to give victims formal, written notice of the breach, either by first-class mail or email (if applicable).
- If the Covered Entity doesn’t have contact information for more than 10 people in a breach, then they must provide alternative notice either through a posting on the website for 90 days or a notice in major print and broadcast news sources.
- The Entity must provide the notice no later than 60 days from the discovery of the breach.
- If the breach affects more than 500 individuals in a State or other jurisdiction, the Entity must provide prominent public notice of the breach through local media outlets.
- The Entity must additionally provide a Notice to the Secretary of Health within 60 days if the breach affects more than 500 people. If less, then the entity can update the Secretary by the end of the year.
These notification rules apply to any breaches made known to the Covered Entity by one of their business associates.
The HIPAA Omnibus Rule
A more recent rule, the Omnibus rule expands the reach of regulations to organizations outside of Covered Entities.
In short, the Omnibus Rule states that compliance obligations cover the Business Associates and contractors. Accordingly, this means that Covered Entities are responsible for any potential violations of Business Associates and contractors, and need to update their gap analysis, risk assessment, and compliance procedures accordingly.
What Is HITECH and How Does It Relate to HIPAA Compliance?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 and informs compliance requirements for all the years after. Critically, this act revised the legal requirements of healthcare organizations across several industries, including direct healthcare and social security.
Before HITECH, only 10% of hospitals used electronic health records (EHR). HITECH was a critical part of pushing hospitals to switch to electronic record keeping. In part, HITECH promoted the adoption of digital ePHI management technology and subsequent compliance with HIPAA regulations. This includes offering incentives for switching to digital technology.
By 2017, in no small part thanks to HITECH, the rate of EHR adoption was up to 86% by 2017.
HITECH also shifted some responsibility for HIPAA compliance. To encourage adoption of technology, the HITECH Act revised healthcare regulations so that Business Associates became directly responsible for violations, and that their responsibility would be outlined in a necessary business associate agreement (BAA) with a Covered Entity.
HITECH also increased penalties for violations and encouraged law enforcement to pursue violations more rigorously so organizations would stay in compliance.
What Are HIPAA Violations?
Compliance means staying within regulations stated in the Privacy, Security, and Breach Notification Rules. If an organization does not meet these standards to stay in compliance, then they are considered in violation of HIPAA.
Violations include:
- The unlawful exposure of ePHI to unauthorized parties, whether willfully or accidentally.
- Failure to implement proper security protocols as outlined by the HIPAA Security Rule.
- Lack of proper administrative or training protocols meeting requirements.
- Failure to properly notify affected parties and public officials following relevant data breaches.
- Lack of willingness to update, upgrade or address existing compliance gaps.
With that in mind, HIPAA breaks violations down into two groups: civil and criminal.
- Civil violations are non-compliance incidents where non-compliance was accidental or without malicious intent. This includes events like neglect or lack of awareness. Penalties tend to be less for civil violations:
- For individuals that are unaware of violations, the fine is $100 per incident.
- For those with reasonable cause without neglect, the fine is a minimum of $1,000.
- Willful neglect carries a minimum fine of $10,000 per incident.
- Willful neglect, followed without an immediate rectification of the violation, results in a minimum fine of $50,000 per violation.
- Criminal violations are those committed with malicious intent, i.e., theft, profit, or fraud. Penalties here include:
- Knowingly obtaining or disclosing ePHI is up to $50,000 and 1 year in jail.
- Committing fraud as part of the violation is up to $100,000 and 5 years in jail.
- Committing violations with the intent to profit from the violation is up to $250,000 and up to 10 years in jail.
Numerous and repeated violations can cost organizations millions of dollars a year.
That being said, there are several common examples of violations:
-
Fraud. The most direct and obvious violation is when individuals steal ePHI for profit or gain. Hackers or insider operations are rare, but increasingly common as more hospitals and healthcare networks turn to cloud technology and rely on unproven service providers.
-
Lost or stolen devices. In the world of desktop workstations, technology theft was less common. As more clinics and hospitals turn to mobile devices like laptops, tablets, and smartphones, however, it’s more and more likely that these devices can end up in the wrong hands.
-
Lack of protection. The Security Rule defines the kinds of HIPAA encryption, firewalls, and other security measures that should be in place. Many organizations may not understand these, or they may work with a third-party associate who they believe is compliant but is not.
-
Unauthorized access across organizations. Whether it’s sharing data from an authorized to an unauthorized individual, or using unencrypted devices or email, it’s extremely easy for untrained workers to access or transmit ePHI improperly. Compliant security providers like Accellion often provide enterprise content firewalls that have been developed to be compliant with HIPAA rules while allowing smooth communication between CEs, BAs, and patients.
It’s important to note that accidentally accessing unauthorized data is easy when, during emergencies or any other situation where time is of the essence, doctors or other workers need to share information fast. In fact, accidental disclosure of PHI is the most common form of violation, which is why there is an entire category of lower-end penalties to cover it.
Checklist to Avoid HIPAA Violations
The simplest way to avoid violations is to stay compliant across your organization. Here’s a quick compliance requirements checklist:
- Ensure that your administrative efforts are in line with the Privacy and Security rules, including training and personnel management. Have a data access and governance policy in place to support enforcement of these rules.
- Maintain compliant security technologies, including encryption for data-in-transit, in-use, and at-rest. Enforce data access policies across your system through centralized data access controls.
- Track and protect mobile devices so that they do not end up in unauthorized hands, and that all data contained in them is properly encrypted. Implement remote wipes to destroy PHI that is stolen, or simply avoid storing PHI on mobile devices in the first place.
- Keep all software updated to their latest versions to maintain compliance and security.
- Audit all Business Associates and contractors to make sure that they are also compliant and in accordance with your BAA, especially if there is any chance that they will handle ePHI.
- Work with technology and security vendors with expertise in compliance. These companies can provide cloud tech, secure file transfers, and security software that matches requirements.
- Perform the necessary audits required for your specific operation in a regulated environment, including the use and maintenance of an unbroken audit trail of data access and other events related to PHI.
- Assign a HIPAA Compliance Officer to manage your compliance efforts across your organization.
Stay HIPAA Compliant with Accellion Security and File Transfer Services
Accellion is a cloud and on-premises services provider that supports secure managed file transfer, HIPAA compliant email, data management and security, auditing and encryption technology that meets or exceeds HIPAA requirements for healthcare organizations. Accellion offers enterprise security features such as:
- One-click auditing and reporting with a complete, unified and unbroken audit trail of critical data access events.
- Encryption of content in transit and at rest, and additional security measures like key rotation, session timeouts, integrity checks, and anti-virus
- Compliant reporting, administrative safeguards, security policy controls for data and account access
- SOC 2 attestations and other physical safeguards for AWS and Azure environments
- AES 256 and TLS 1.2 encryption
- Enterprise content firewall for protecting data on an internal network
- Threat detection, mitigation, and forensics via comprehensive, unified logging, CISO Dashboard analysics, and exports to your SIEM
We also bring years of experience in HIPAA-related compliance to help your organization better serve patients and their data.
Access our HIPAA Compliance Guide to learn how Accellion keeps you HIPAA compliant.
*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Bob Ertl. Read the original post at: https://www.accellion.com/hipaa-compliance/hipaa-compliance-requirements/