HIPAA Compliance
HIPAA stands for Health Insurance Portability and Accountability Act, which was passed in Congress in the mid-1990s and aims to protect health data. This is composed of a series of rules that require organizations in the healthcare industry along with their business associates – to secure patient data and protect patient privacy.
HIPAA rules cover healthcare organizations or professionals that create and keep protected health information (PHI) – these include hospitals, doctors, nurses, pharmacies, and other providers of health plans or healthcare clearinghouses.
These rules also encompass the business associates of these organizations that carry out healthcare functions or activities, which require their access to PHI.
The Privacy Rule establishes the standards to protect a patient’s “individually identifiable health information”, which pertains to information related to his/her mental or physical health, medical treatments, or payment history. It is mandatory for healthcare organizations to secure this information “in any form or media, whether electronic, paper, or oral” as these contain a patient’s name, phone number, birth date, Social Security number, or any other personal identifier.
The Privacy Rule defines how healthcare institutions can use patient data. It specifies what information may be disclosed without the patient’s permission and to whom. This rule also ensures patients their right to access their personal health information and medical records. As such, healthcare institutions are required to implement written privacy policies, inform patients about these, and train staff for HIPAA compliance.
The Security Rule sets national standards on how electronically protected health information (ePHI) should be handled, maintained, and transferred. This rule also requires healthcare organizations to establish administrative, physical, and technical data security safeguards in place.
In 2013, the final Omnibus Rule was enacted to include the role of business associates in the implementation of HIPAA rules. This set the criteria for Business Associate Agreements (BAAs) as well. It launched new provisions that strengthened HIPAA security and privacy protection, incentivized the use of EHR in the U.S., and has imposed greater sanctions for non-compliant organizations – all in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Breach Notification Rule requires healthcare organizations and their business associates to notify OCR when ePHI is breached. This rule defines how to report different types of breaches. HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”.
The rule also differentiates “minor breaches”, which affect fewer than 500 people, and “meaningful breaches”, which affect more than 500 individuals. All types of breaches should be reported to OCR. However, all meaningful breaches are made public on the OCR’s Breach Notification Portal, or “Wall of Shame”.
The Enforcement Rule gives the OCR the authority to investigate HIPAA complaints, conduct compliance review, educate, and levy fines of up to $1.5 million. The OCR works with the Department of Justice and forwards possible criminal violations of the HIPAA as well. It also empowers the HHS to enforce the Privacy and Security rules.
Healthcare organizations and their business associates should be proactive in preventing HIPAA violations. It is, therefore, important to create privacy and security policies that are documented, communicated to staff, and updated regularly. Staff should also be trained on how to properly carry out these policies and should also attest in writing that they agree and understand all HIPAA policies and procedures.
Further, healthcare institutions are mandated to create and distribute a Notice of Privacy Practices (NPP) form for patients to review and sign. The NPP should indicate the privacy policies of the organization, how PHI is handled, and inform patients of their right to access their medical records.
Since HIPAA policies are constantly changing, organizations are required to designate a Privacy Compliance Officer who oversees the development of the privacy policies and ensure that these are properly enforced, and are updated annually. Moreover, the Privacy Officer is responsible for keeping NPPs, managing and updating BAAs, and scheduling training sessions.
HHS also suggests the creation of a Privacy Oversight Committee in larger organizations to spearhead policy formation and manage oversight. Members of such a committee should take regular training to stay updated on changes to the HIPAA regulations.
Organizations are also required to assign a HIPAA Security Officer to ensure that policies and procedures are implemented to prevent ePHI data breaches. The Security Officer will also be responsible for establishing safeguards as required by the HIPAA Security Rule and conduct risk assessments to determine their effectiveness.
Administrative Safeguards: Organizations are mandated to document security management practices, assign security personnel, provide security training, establish a management system for easy and safe access to information, and assess all security protocols regularly.
Physical Safeguards: Organizations should be able to identify the appropriate personnel who can access the physical facilities where ePHI is stored. All workstations and devices used to transmit and store ePHI should be properly secured.
Technical Safeguards: Organizations should ensure that ePHI in the EHR and other databases are secure and are only accessible and visible to authorized personnel. Measures to encrypt data during transit should also be implemented in accordance with HIPAA Compliance Texting and HIPAA Compliance Messaging solutions. At the same time, integrity controls should be put in place to ensure that ePHI is not improperly edited or deleted. Organizations should also make sure that hardware and software that manage or transfer ePHI meet the national standards for HIPAA network requirements.