I’ve been spending considerable amounts of time with small and medium sized healthcare practices (gosh, I even started managing one).
HIPAA compliance (or rather, the threat of a fine) is always on a practice manager’s mind.
Granted, it’s in the back of their minds – but the threat of a fine is real. If you need a primer to keep your practice out of trouble without having to pour through copious amounts of HIPAA related documentation – this post is for you.
I am not a HIPAA expert per se, but here’s how I guide small to mid-sized healthcare practices around HIPAA.
Understand the basics of it
HIPAA = Health Insurance portability and accountability act.
No information, no privacy in it – is there?
However, do understand that this HIPAA thing is all about protecting personal health information.
There’s another term you need to know – called PHI.
That’s Protected Health Information (not personal health information)… things that can easily identify a person and their health condition(s). This is so simple to figure out.
You can already identify a person by their name, DOB, SSN anyway.. Now simply extend that to some health encounter related information (e.g. medication or lab or report or healthcare related payment etc).
PHI attempts to protect that. You knew that – didn’t you?
So, how is HIPAA related to PHI? HIPAA just guides you on how to protect PHI of your patients, how to exchange PHI with others that might be involved in your patient’s care (the actual transmission of this data) and finally how to give/get authorization to exchange this data.
That’s it. Understand these basics and you already know more than most.
Next up – understand the 3 basic rules you need to keep in mind
- HIPAA security rule – simply tells you how you need to store and protect patients’ PHI
- HIPAA privacy rule – simply tells you how you can use or share patients’ PHI
- HIPAA breach notification rule – if (God forbid), there’s a breach, this tells you who and how you need to apprise of the breach.
Can you get HIPAA certified and become HIPAA compliant?
Not quite – sure, you can get certifications but that doesn’t automatically make you compliant. HIPAA compliance is a organizational cross to bear.
Who has to deal with HIPAA?
A covered entity – e.g. provider, health plan or a clearing house
A business associate – all the people that provide services to the covered entities mentioned above. This also includes subcontractors of all those business associates involved in the dealings.
What can you do right now? A few simple things.
- Figure out who has access to your patient’s data. Include employees, contractors, software vendors, physician partners, health systems etc.
- Figure out what level of access they have.
- Figure out the Business associate agreements (BAA) you have in place.
- Figure out how you are currently protecting PHI
- Figure out the gaps and the impact of a breach
- Train your staff on what’s involved in HIPAA and PHI
That’s about it. If you understand PHI and just think twice before storing, sharing and transmitting PHI – you’re better off than most providers and health systems I have worked with.
Need details? Read the long form post below.
The growing need for HIPAA compliance
The number of data breaches is on the rise, where patient’s records have been at risk and compromised. Few of the largest data breaches that have ever discovered happened in 2015.
There was a massive data breach at Anthem Inc where 78.8 million health records were compromised and there were two more in which over 10 million health records got affected.
If we look at 2017 alone, the largest data breaches occurred due to hacking; be it Peachtree Neurological Clinic where 176,295 records were exposed due to hacking, or the McLaren Medical Group, Mid-Michigan Physicians Imaging Center where 106,008 records were affected
…and many such more.
If we look closely, healthcare data breaches have been on rise in 2017 and therefore its very important that measures are taken to protect the healthcare data in future.
Compliance with HIPAA emerged as a tool that not only will prevent all data breaches but to also ensure healthcare Organizations achieve at least the minimum standard for data security, which in turn will prevent the majority of healthcare data breaches.
In the recent years, it has become evident that if you are a healthcare institution, you will have to pay more attention than ever before to protect patient’s medical records and information.
Also there is a rising trend of mHealth (Mobile health applications) which includes apps from healthcare, to fitness tracker apps, to doctors appointment scheduling apps. These are also covered under the HIPAA Compliance rule.
A Recap: What is HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection.
Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
Every Covered Entity and Business associate that has access to PHI must ensure they adhere to 3 rules of HIPAA
- HIPAA Security Rule
- HIPAA Privacy Rule
- HIPAA Breach notification Rule
HIPAA Security Rule
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect ePHI when it is at rest and in transit. The rules apply to anybody or any systems that have access to confidential patient data.
By “access” I mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual.
Under HIPAA Security rule every Covered Entity and Business Associate (we will get to covered entity and business associates a bit later on in this article) that has access to PHI must ensure the technical, physical and administrative safeguards are in place and adhered to.
The Technical Safeguards relate to the technology that is used to protect ePHI and provide access to health related data.
The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers.
This is so that any breach of confidential patient data renders the data unreadable, indecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
- Implement a means of access control (required) – This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
- Introduce a mechanism to authenticate ePHI (addressable) – This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.
- Implement tools for encryption and decryption (addressable) – This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.
- Introduce activity audit controls (required) – The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.
- Facilitate automatic logoff (addressable) – This function – although only addressable – logs authorized personnel off of the device they are using to access or communicate ePHI after a predefined period of time. This prevents unauthorized access of ePHI should the device be left unattended.
The Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity.
They also stipulate how workstations and mobile devices should be secured against unauthorized access:
- Facility access controls must be implemented (addressable) – Procedures have to be introduced to record any person who has physical access to the location where ePHI is stored. This includes software engineers, cleaners and even a handyman coming to change a light bulb. The procedures must also include safeguards to prevent unauthorized physical access, tampering, and theft.
- Policies relating to workstation use (required) – Policies must be devised and implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation (so that the screen of a workstation cannot be overlooked from an unrestricted area) and govern how functions are to be performed on the workstations.
- Policies and procedures for mobile devices (required) – If mobile devices are to be allowed access to ePHI, policies must be devised and implemented to govern how ePHI is removed from the device before it is re-used.
- Inventory of hardware (addressable) – An inventory of all hardware must be maintained, together with a record of the movements of each item. A retrievable exact copy of ePHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together.
They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
The OCR pilot audits identified risk assessments as the major area of Security Rule non-compliance. Risk assessments are going to be checked thoroughly in the second phase of the audits; not just to make sure that the organization in question has conducted one, but to ensure to ensure they are comprehensive and ongoing.
A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.
The administrative safeguards include:
- Conducting risk assessments (required) – Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
- Introducing a risk management policy (required) – The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
- Training employees to be secure (addressable) – Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
- Developing a contingency plan (required) – In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
- Testing of contingency plan (addressable) – The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
- Restricting third-party access (required) – It is the role of the Security Officer to ensure that ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
- Reporting security incidents (addressable) – The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.
HIPAA Privacy Rule
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information.
It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
Covered entities are also advised to:
- Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization’s security mechanism.
- Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
- Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.
Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.
The HIPAA Breach Notification Rule
The HIPAA Breach notification rule requires covered entities to notify patients when there is a breach of their ePHI.
The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal.
These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications should include the following information:
- The nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
- Whether the ePHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach.
When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.
‘HIPAA Certified’ is not the same as ‘HIPAA Compliant’
HIPAA Compliance refers to following the proper rules in accordance with requirements and regulations set forth by policies or guidelines.
HIPAA Certification is the process to obtain or be awarded a document or designation to attest a person has completed an educational course.
These statuses cannot be used interchangeably; They each have their own separate purposes. For example, employees and businesses can become “certified” but employees cannot be “compliant”.
The difference between the two is that “certification” is obtained by a person or company, whereas “compliance” is maintained by an organization.
HIPAA Certification can be obtained by taking an exam to validate knowledge and skills in the core areas of HIPAA regulations and guidelines. Once successfully completed with a passing grade, certification is achieved.
There are many businesses and websites which offer HIPAA Certification. This “certification” has been designed by private companies that include training and testing, but has not been officially approved by the federal government.
Health and Human Services (HHS), the government entity which manages and is responsible for enforcing the HIPAA Rule, does not endorse or otherwise recognize HIPAA Certification as a way to absolve organizations from the legal obligations of the HIPAA Security Rule.
HIPAA Compliance cannot be achieved by means of taking and passing an exam. HHS states there is no company entrusted to “certify” an organization as HIPAA Compliant.
HIPAA Compliant companies are required to perform a periodic evaluation (technical and non-technical) to establish the security policies and procedures have met the security requirements.
This evaluation can be performed internally or by an external organization that provides “certification” services.
In summary, there are definitive differences between HIPAA “certification” vs “compliance” when it comes to a hosting provider.
HIPAA Compliance is the set of rules and regulations set forth by HHS to follow for proper secure handling and protection of medical information.
HIPAA certification consists of obtaining credentials which validate understanding of these rules and regulations, but has not have not been approved by HHS.
Do I need to worry about HIPAA Compliance
According to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant
A covered entity is anyone who provides treatment, payment and operations in healthcare. According to the U.S. Department of Health & Human Services (HHS) Healthcare Providers, Health Plans, and Healthcare Clearinghouses are all Covered Entities
Covered Entities Include:
Healthcare providers such as: Doctor’s office, dental offices, clinics, Psychologists, Nursing home, pharmacy, hospital or home healthcare agency
Health Plans such as: Company Health plans, health insurance companies, HMOs, Medicare, Medicaid
Employers and schools that handle PHI in order to enroll their employees and students in health plan
Government programs that pay for healthcare
Business Associates Include
A Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assist
Here are some examples of potential Business Associates:
- Data processing firms or software companies that may be exposed to or use PHI
- Medical equipment service companies handling equipment that holds PHI
- Shredding and/or documentation storage companies
- Consultants hired to conduct audits, perform coding reviews, etc.
- External auditors or accountants
- Professional translation services
- Answering services
- Accreditation agencies
- E-prescribing services
- Medical transcription services
Why non compliance is no longer an option?
The penalties and fines imposed for non-compliance are rising all the time. Establishments need to take the necessary steps to ensure compliance.
But it should not just be the fear of penalties that must keep healthcare entities complying with HIPAA rules. Consequences of data breaches of protected health information (PHI) can be more devastating than you might realize.
First, a great number of victims do not know about the identity theft even after several months. The thieves are making transactions in their names and the victims get to know about them only when collection letters from creditors start coming to them.
Resolving an identity theft using medical records cost around $20,000 as per the Ponemon Survey in 2010. The damage done to the businesses can easily require millions of dollars to get back on track.
According to the 2018 SecurityMetrics Guide to HIPAA Compliance, health-care organizations accounted for more than 27.6 percent of last year’s reported data breaches. Although new technologies and government initiatives surrounding cybersecurity are on the rise, the value of patient data is increasing as well—and with it, the amount of cybercrime.
According to another survey done in 2014, almost half (43%) of IT professionals don’t understand the compliance legislation when it comes to managing data. Moreover, over half (52%) of the IT industry specialists surveyed said that they would rather use a third-party to manage their data compliance than make sense of it themselves.
Demonstrating how eager they are to enforce the Cabinet Office’s zero-tolerance approach to non-compliance, the Information Commissioner’s Office (ICO) issued a fine of £325,000 to an NHS University Hospital Trust after a serious data breach in 2012.
Do you think your practice is prepared to bear a loss of that magnitude?
A HIPAA violation could be intentional or unknowing.
Either way, if your healthcare organization fails to meet regulations, it could be looking at a fine of up to $1.5 million.
The steps to take to ensure compliance are much easier and less expensive in comparison.
Setting up secure processes, training employees, and keeping systems up-to-date can help you avoid a security breach. You’ll also avoid the hefty fees that go along with it.
Not sure where your organization stands in terms of compliance?
The U.S. Department of Health and Human Services offers a Security Risk Assessment tool to get you started. This can help you determine if you’re covered (or not) when it comes to following regulations.
How do I go about being HIPAA Compliant then?
Start with risk assessment
You must consider the following scenarios while performing a risk assessment:
- Determine the scope of analysis (as it extends to material contained on electronic devices, for instance).
- Aggregate data on Electronic Protected Health Information (EPHI) by reviewing past and current projects; reviewing all documentation; conducting interviews; and incorporating other means of data collection. Then, all accumulated data must also be documented.
- Identify and document all potential threats and vulnerabilities to the covered entity. Whether or not a threat is enough to exploit a vulnerability determines whether it would be considered a risk.
- Make an assessment of present security measures, including those which apply both electronically and physically. Document these as well.
- Determine the likelihood of the threat actually happening (the OCR provides a tiered system) .
- Determine the possible impact of the threat (the OCR has a checklist).
- Determine actual level of risk.
- Identify measures to manage risk.
Determine accessibility to protected data
Below are few measures that you can take to determine accessibility to protected data
- Determine who in Organization have access to protected data by assigning a unique username and password for each user.
- Put controls over the permissions to access patient information. Don’t allow everyone to have access to patient data.
- Determine the responsibilities of each employee and make sure there is a written job description and grant access rights based on each user’s functions and role.
- Implement the procedure for the authorization and or supervision who work with ePHI by defining and documenting policies.
- Implement procedures to determine that the access to workforce member to ePHI is appropriate.
- Ensure there is an emergency access procedure in place so that employees can obtain necessary ePHI during an emergency
- Implement procedures for monitoring login attempt and reporting discrepancies.
Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being. For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.data.
- This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.
Choose a privacy and security officer
They will help decide your compliance plan. Have someone designated to this role if you are not compliant. The security officer must be able to understand the HIPAA security rules and apply to the organization. They will help you adopt appropriate security policies and procedures
Identify and evaluate sets to the confidentiality and integrity of ePHI.
Perform Audit and coordination of all computer systems and networks
Assess the policies
Review policies and procedures of what do if PHI is lost, stolen, or inappropriately disclosed;
Review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.
Privacy and Security Policies and Procedures
After completing the risk assessment and assessing the policies you must start creating security policies and procedures that will ensure the privacy of protected health information and the security of such information.
Policies and procedures must be updated regularly and any changes need to be clearly documented and communicated to your staff
Business Associate Agreement (BAA)
Next the Covered entities must ensure that they have a current HIPAA business associate agreement in place with each of their partners to maintain PHI security and overall HIPAA compliance.
You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.
Setup Disaster Recovery Plan
A HIPAA disaster recovery plan is a document that specifies the resources, actions, personnel and data that are required to protect and reinstate healthcare information in the event of a fire, vandalism, natural disaster or system failure.
The disaster recovery plan is a required implementation, defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.
A HIPAA-compliant disaster recovery plan must state how operations will be conducted in an emergency and which workforce members are responsible for carrying out those operations.The plan must also explain how data will be moved without violating HIPAA standards for privacy and security. It must also explain how confidential data and safeguards for that data will be restored. Although HIPAA doesn’t specify exactly how to do this, it does note that failure to adequately recover from a disaster could lead to noncompliance. Failure to comply exposes officers of the organization to repercussions, such as fines or jail time.
Can Cloud take care of all this stuff for me?
Cloud computing is changing the way the healthcare practice work. From maintaining electronic records, to data storage , to make collaboration easier with through mobile devices, video conferencing, and healthcare apps , the cloud speeds up the process and allows for better communication. It also offers accessing high powered analytics and telemedicine capabilities.
Cloud has now become more secure, efficient and convenient for healthcare practices today.
Cloud computing offers the most cost effective and flexible infrastructure environment.
Cloud is now an ever growing field with healthcare practice.
Need for compliance in Cloud
1. Secure Patient private information from Identity theft
Hackers are constantly trying to steal PHI of patients, in order to sell it on the black market for identity theft and fraud purposes.Therefore to prevent data breaches we need regulations to protect sensitive patient information.
2. Deny access to accessing full medical records
In few cases there is a possibility that we cannot give full access to patient data to a particular patient. There must be laws that prevent
3. For maintaining confidentiality with PHI
With stricter confidentiality rules regulating the sharing of PHI, patients have more control over who can access their personal medical information. When needed, patients can give permission for specified: family members, other covered entities, employers, etc., to have access to their PHI.
Because of these real threats to sensitive information, certain industries are required by law to be compliant with certain standards, especially when dealing with customer information
Under the new rule of HIPAA, cloud service provider that processes electronic health information (ePHI) are considered as business associates even if the PHI is encrypted and cloud service provider is not able to view it.This rule is made as per the US department of health and human services (HHS) for civil rights (OCR) on HIPAA and Cloud computing
Cloud Computing and HIPAA – What’s my exposure
Below are the few guidelines that gives detailed direction on the nature of cloud computing, business associate agreements(BAA) and how it should be compliant with HIPAA.
- When accessing ePHI information using mobile device make sure that physical, administrative and technical safeguards are in place to protect the confidentiality, integrity and availability of the ePHI
- The covered entity or business associate can use a cloud service to store or process ePHI by first entering into a HIPAA-Compliant BAA with CSP that will be creating, receiving, maintaining, or transmitting ePHI.
- The BAA determines how can a CSP that stores encrypted ePHI and does not have a decryption key is still considered a HIPAA business associate. Because the CSP receives and maintains ePHI for a covered entity or other business associate, lacking an decryption key for the data does not exempt a CSP from business associate status.
- If a CSP experiences a security incident it must report the incident to the covered entity or business associate. HIPAA requires business associates to identify and respond to suspected or known security incidents, mitigate harmful effects that are known and document security incidents and their outcomes
How much does HIPAA Compliance cost?
There is no set cost to be HIPAA compliant because every business’ requirements depend on its size, the existing infrastructure and the number of patients they handle every day. Here are the points you have to cover to know how much it will cost you to comply with HIPAA rules.
- The type of organization you have, e.g., a healthcare clearinghouse, business associate, hospital, etc. The risk levels and amount of data to be protected is different for each business type.
- The size of your business. When the business size is large, the security solution is much more complex and hence needs more money to be implemented.
- The team you dedicate to HIPAA compliance. You need to have a system to be HIPAA compliant, and there you will need people to manage that system, which will add to your costs.
- Consider the dynamics of your existing system. Your costs can vary based on just the type of devices, sensors, and meters you use as well as the type of computers.
- The budget allocated by the management. If your management does not believe in data breaches, they might not be willing to dedicate enough money to meet all requirements of being HIPAA compliant.
Here’s a general idea
If you are a small covered entity, HIPAA should cost:
- Risk Analysis and Management Plan= $2,000
- Remediation= $1,000 – $8,000
- Training and policy development= $1,000-2,000
Total: $4,000 – $12,000
If you are a medium/large covered entity, HIPAA should cost:
- Onsite audit= $40,000+
- Risk Analysis and Management Plan= $20,000+
- Vulnerability scans= $800
- Penetration testing= $5,000+
- Remediation= Varies greatly based on where entity is today in relation to compliance and security
- Training and policy development= $5,000+
Total: $50,000+, depending on the entity’s current environment
As the healthcare industry is being attacked at a higher rate than any other sector.This makes it all the very important for entities to take time to fully understand HIPAA and how it applies to your Organization, to protect yourself and your business and your patients and clients from breaches
Be sure to have Business Associate Agreement in place with vendors and then document and implement processes to make sure you have the right Administrative and Physical safeguards in place.