The Health Insurance Portability and Accountability Act of 1996 (HIPAA) put in place a set of regulations to standardize the legal disclosure and use of protected health information, also known as PHI. Protected health information includes everything from patients’ medical records, Social Security numbers, and financial information to addresses, phone numbers, and pictures.
As the health care sector has become more digitized, protection has been put in place to regulate the use of PHI that is stored, transmitted, and accessed electronically (known as ePHI). The HIPAA Security Rule is an addendum that was added to HIPAA to account for technological advances in health care.
So, who needs to be HIPAA compliant?
Health care providers, health insurance providers, and other entities that collect, transmit, or create ePHI are considered covered entities which must be HIPAA compliant. Additionally, business associates, such as IT providers, consultants, cloud storage providers, and any others who encounter PHI or ePHI must know exactly what HIPAA compliance is and conduct business accordingly.
The Department of Health and Human Services is responsible for HIPAA regulations, while the Office for Civil Rights enforces compliance. Failure to comply can cause organizations to face heavy fines depending on the type of non-compliance.
HIPAA Compliance Checklist
Now that you understand the reason for HIPAA rules and who needs to be HIPAA compliant, it’s important to ensure compliance within your business. The best way to do so is by establishing a HIPAA compliance checklist which allows your organization to conform to the established guidelines more easily.
Below is a checklist to get your business in line with HIPAA regulations:
- Limit Access to HIPAA Data – Create a least privilege model to determine who needs permission to access data.
- Create a Data Map – Know exactly where all your HIPAA-regulated files are, both locally and on the cloud.
- Protect Your Data – Use physical and technical enforcement to secure data, from locking files to cybersecurity measures and two-factor authentication.
- Monitor Access – Keep tabs on all access to PHI and ePHI by setting up alerts for anytime health care information is accessed.
- Monitor Perimeter Activity – Use threat models and security analytics to keep third parties at bay.
Keeping up-to-date of your organization’s security and activity with such a checklist places a priority on compliance and makes it easy for all employees to understand what HIPAA compliance is.
HIPAA Non-Compliance Penalties
Entities must adhere to HIPAA compliance regulations to avoid non-compliance penalties. Although HIPAA penalties aren’t issued very often (The Office of Civil Rights only issued 19 penalties in 2020), running afoul of privacy regulations is never good for a business.
Violations can be unintentional, such as accidentally disclosing more PHI than was necessary, or intentional, such as neglecting to notify patients of a data breach in a timely manner. Penalties are issued based on the severity of the violation.
- Tier 1 – The HIPAA-covered entity was not aware of the violation and was unavoidable even with proper adherence to HIPAA guidelines. A minimum fine of $100 per violation to a maximum of $50,000 can be issued.
- Tier 2 – The entity should have been aware of the violation but did not display willful negligence of HIPAA guidelines. A minimum fine of $1,000 per violation to a maximum of $50,000 can be issued.
- Tier 3 – The violation was a result of willful neglect of HIPAA guidelines, but measures have been put in place to prevent future violations. A minimum fine of $10,000 per violation to a maximum of $50,000 can be issued.
- Tier 4 – The violation was a result of willful neglect of HIPAA guidelines and no measures have been put in place to prevent future violations. Tier 4 includes a minimum fine of $50,000 per violation.
Costs can clearly begin to add up for HIPAA penalties, so all entities dealing with PHI need to maintain compliance and be aware of HIPAA IT requirements to avoid financial hardship.
HIPAA Compliant Hosting
Healthcare providers that wish to build apps and provide services need their web services to adhere to HIPAA regulations. HIPAA compliant hosting provides server space that follows the rules for organizations that handle PHI and ePHI.
HIPAA compliant hosting helps clients protect and secure health data by maintaining strict security procedures, encrypting personal information, and utilizing risk management policies at the server level. Such a robust infrastructure and set of safeguards makes HIPAA compliant hosting capable of handling health data in a safer way than standard web hosting solutions.
Once healthcare providers are able to receive hosting support to adhere their web services to HIPAA regulations, they are now able to move on to handling the business requirements for HIPAA compliance themselves.
HIPAA Compliance Challenges
Being compliant involves much more than simply knowing exactly what HIPAA compliance is. The challenges of HIPAA compliance are numerous, but organizations can take steps to make sure they keep up with regulations.
There are three main challenges to entities trying to adhere to HIPAA guidelines:
Privacy is of utmost importance with regards to HIPAA and PHI, and our data is constantly under attack from hackers. A good hosting service can provide organizations with the cybersecurity tools they need to maintain compliance.
Another cybersecurity threat comes from inside organizations, where careless email policies can lead to violations. Proper team training, access controls, encryption, and more can help reduce the chances of failing compliance due to email mistakes.
Risk management plans can help develop strategies to address every vulnerable point with specific technology and policies to enhance security.
Organizations that handle PHI often have professional relationships with other entities that need to access health data. Every additional party that handles, stores, or transmits data increases the chance of an error that could lead to falling out of compliance.
The HIPAA Omnibus Rule, put into effect in 2013, updated regulations regarding business partners. This rule expands covered partners to include subcontractors, storage companies, and consultants, meaning that more partners will share the responsibility of staying in compliance.
Creating a business associate agreement (BAA) for each partner helps ensure that all parties are aware of what is HIPAA compliant. The contract explains the proper use and disclosure of personal health data. BAAs are important for all partners because each partner is subject to non-compliance penalties.
Allowing employees to access PHI from their personal mobile devices can present a big security threat. Unencrypted tablets or phones that have access to patient data can cause an organization to fall out of compliance when the device is lost or stolen.
Organizations are expected to implement strong encryption on any mobile device an employee uses to access PHI—even if it is their own personal device.
HIPAA vs PCI
Payment card industry (PCI) compliance is the security standard in place for organizations that handle credit card transactions. The standards are developed by the PCI Security Standards Council and protect all credit card data that is transmitted when transactions are processed.
Both HIPAA and PCI are in place to secure personal data and regulate entities that are responsible for client and patient information. Organizations that fall out of compliance with HIPAA or PCI can face hefty fines until they regain compliance.
When comparing HIPPA vs PCI, it is important to know that there are a few significant differences between the two. Whereas PCI deals exclusively with electronic data, HIPPA and health care data can be both electronic and physical.
So, HIPAA compliance is broader in scale and requires both cybersecurity and on-site security to protect files. PCI is more technical in nature and requires the scanning of transaction ports to assure security.
HIPAA Compliance for Small Businesses
HIPAA provides protection for personal data and guidelines for those handling the data. But, with its challenges and the threat of steep fines for falling out of compliance, the regulations could present concerns for small businesses operating on a small budget.
Once small business owners can answer the question “What is HIPAA compliance?” they need to start looking for ways to implement safeguards for the security of both PHI and ePHI.
- Physical safeguards include security personnel that limits access to the building, systems, and certain rooms that contain data. Another form of physical safeguards is developing a plan for system recovery in the event of a natural disaster such as fire or flooding.
- Technical safeguards include network security, data encryption, and technology to track who accesses data and transmits files.
- Administrative safeguards include organization-wide strategies to secure PHI, manage data access among employees, and set standards for doing business with outside parties.
Small businesses can mitigate risk to their ePHI by selecting an appropriate cloud service provider and a compliant web hosting company. Such companies can help maintain compliance by restricting access, providing malware protection, and more.
HIPAA compliance is more than simply a set of regulations that businesses must follow. It helps establish trust between health care providers and the patients whose data they store.
By staying in compliance, businesses set themselves up for success and give their patients peace of mind that both they and their sensitive information are being well taken care of.