HIPAA - Regulations and Compliance
- What kind of patient information is protected by HIPAA;
- How to ensure compliance with the HIPAA Rules; and
- An outline of the key elements of the “HIPAA Privacy Rule” and “HIPAA Security Rule.”
To get connected with a health care attorney familiar with HIPAA regulation and compliance,
Call The Health Law Group now >>>
What is “HIPAA?”
The Health Insurance Portability and Accountability Act of 1966 (“HIPAA”) established privacy and security protections for patients electronic protected health information (“ePHI”). HIPAA is essentially a series of regulatory standards and guidelines for handling the use and disclosure of “protected health information.”
What is “Protected Health Information?”
“Protected health information” is any demographic information that can be used to identify a patient. This can include: a patient’s name; address; phone number, medical history, financial information, and social security number. Even pictures of the patient are considered protected.
What is “ePHI?”
“ePHI” refers to “electronic protected health information.” Basically, any patient medical or treatment information that is protected under the Health Insurance Portability and Accountability Act of 1966 (“HIPAA”) is ePHI.
What is the “HIPPA Security Rule?”
The HIPAA Security Rule outlines a national standard for how to securely handle ePHI. This includes record maintenance and transfer of electronic health information as well.
Basically, the HIPAA Security Rule outlines the safeguards that eligible health care providers must put into place when dealing with electronic protected health information (“ePHI”).
For example, the standards and guidelines outline the physical, administrative, and technical safeguards that every health care provider must abide by when dealing with patients electronic health records.
These rules apply to both “covered entities” and “business associates” of those entities.
What is the “HIPPA Privacy Rule?”The HIPAA Privacy Rule is a set of national standards for protected health information which outlines the standards for: A patient’s right to access their protected health information; and A health care provider’s right to deny access to protected health information. The Rule also outlines the standards for entities:
- “Use and Disclosure” forms;
- “Policy and Procedure” forms;
- “Notices of Privacy Practices” forms; and
- Standards to be listed in a providers “HIPAA Policies and Procedures” outline.
What Entities Are Required to be HIPAA Compliant?
There are two (2) types of organizations that must maintain HIPAA compliance. Those two entities include:
- Covered Entities; and
- Business Associates.
According to HIPAA, a “covered entity” is an organization that collects, creates, or transmits electronic protected health information (“ePHI”). This can include health care providers, health insurance providers, and health care clearinghouses.
HIPAA defines a “business associate” as an organization that deals with protected health information on behalf of a covered entity.
Basically, if a “covered entity” has contracted with an organization to provide services related to the handling, transmitting or processing of protected health data, they will be considered a “business associate.”
Service Providers Considered “Business Associates”HIPAA compliant service providers that would be considered “business associates” include:
- Physical storage providers
- Cloud storage providers
- Cybersecurity providers
- IT providers
- Email hosting services
- Billing companies
- Management firms
- Third-party consultants
- Paper shredding companies
- Professionals like attorneys and accountants
HIPAA Training and Certification
- All employees of “covered entities” and “business associates” of covered entities must be trained on HIPAA Policies and Procedures.
- Each employee must renew their training certification every year.
- Each employee must attest to the fact that they have read and understood their companies Policies and Procedures and the entity should record such documentation.
Who Regulates/Enforces HIPAA Compliance?
- HIPAA compliance is regulated by the Department of Health and Human Services (“HHS”).
- HIPAA compliance is enforced by the Office for Civil Rights (“OCR”).
What Does HIPAA Compliance Require?
- Self- Audits
- Security Risk Assessment Audits
- Remediation Strategies
- Policies and Procedure
- Required Documentation
- Business Associate Agreements
- Breach Notifications
Self-AuditsIf you are a “covered entity” or “business associate,” you should be conducting annual self-audits in order to identify and address any issues in your organization’s ability to comply with the HIPAA Privacy and Security Standards.
Security Risk Assessment AuditsWhile Security Risk Assessments are required by HIPAA, they alone are not sufficient to remain compliant. Entities must also conduct self-audits, as discussed above.
Remediation StrategiesAfter conducting your self-audits and security risk audits, all HIPAA entities hoping to remain compliant must employ some type of remediation plan in order to address the issues identified in the audits. If no remediation plan is put in place, one you identify compliance issues, you may be liable for a HIPAA violation. These remediation plans must be specific and must include a record date which the issues will be cured.
Policy and ProcedureEntities must develop their own Policy and Procedure standards in compliance with the HIPAA regulatory standard outlined in the HIPAA Rules and provide training and certification of all employees in these Policies and Procedures. Each staff members certification must be renewed once a year, and each member must attest to the fact that they have read and understood the Policies and Procedures. Each organization must keep a record of this attestation.
Required DocumentationIt may go without saying, but all efforts to maintain HIPAA compliance should be documented. Even if it may not be explicitly required, every effort you make to become compliant, maintain compliance, or correct compliance issues, should be readily accessible to your organization. This includes documentation of self-audits, security audits, remediation, employee attestation of policies and procedures, and all and entities which your organization has shared electronic health information with. Document retention and efficient document retrieval is essential during HIPAA investigations.
Business Associate AgreementsAll entities that share a patient’s protected health information with other entities must produce Business Associate Agreements to ensure the information is handled properly. Basically, you and whoever you are sending a patient’s protected health information to have a joint responsibility to protect the records. Before sharing a patient’s electronic protected health information, you must get assurances from the entities you are sending this information to that they will handle the information securely. If you do not get assurances that the individual will protect the data, then you may be liable for “willful neglect” of that information, which is a HIPAA violation.
Breach NotificationsAll “covered entities” and “business associates” must notify patients and government agencies after a breach of a patient’s protected health information has occurred. For a more in-depth view of “What Happens is a Patient’s Protected Health Information is Breached,” continue reading below.
What Happens if a Patient's PHI is Breached?
If a breach of a patient’s electronic protected health information occurs, the HIPAA Breach Notification Rule requires that the patients, HHS, OCR, and other entities be notified of the breach. Who is required to be notified depends on whether the breach is a “minor breach” or a “meaningful breach.”
"Minor Breach" - Fewer Than 500 Patients
A “minor breach” is any data breach containing protected health information that affects fewer than 500 patients.
Who Must be Notified of “Minor Breaches?”
The Rule states that all affected patients must be notified of any “minor breach” within 60 days of the discovery of such breach.
The Rule also requires that The Department of Health and Human Services (“HHS”), and The Office for Civil Rights (“OCR”) must be notified of any “minor breaches” and “meaningful breaches” within 60 days of the end of the calendar year that they occurred.
"Meaningful Breach" - 500 Patients or More
- All affected patients must be notified;
- Local media must be notified;
- Local law enforcement must be notified;
- The State Privacy Officer be notified;
- The Office for Civil Rights (“OCR”) must be notified; and
- The Department of Health and Human Services (“HHS”) must be notified.
All meaningful breaches that are reported are posted on the HHS Breach Notification Portal. The HHS Breach Notification Portal is essentially a list of all “meaningful breaches” reported within the last 24 months that are currently under investigation by the Office for Civil Rights (“OCR”).