Every healthcare provider and healthcare worker should be familiar with HIPAA. The Health Insurance Portability and Accountability Act of 1996 is a federal statute that concerns healthcare information and insurance. In this article, we break down 10 of the top facts about HIPAA compliance that every healthcare provider should know.
1. HIPAA regulations apply to a wide range of organizations.
Every organization considered a "covered entity" must ensure ongoing healthcare HIPAA compliance. The term covered entity includes many healthcare settings and provider types, such as physician practices, dentists, psychologists, podiatrists, lab technicians, hospitals, clinics, nursing homes, schools with health providers, non-profits that offer healthcare services, and government agencies involved in healthcare. Also included are health insurance companies, employer-sponsored health plans, and government health programs such as Medicare and Medicaid. Finally, any organization that works with healthcare data, such as patient billing services or electronic medical records providers, should be considered as covered by HIPAA.
Business associates are also subject to HIPAA regulations. These are vendors that provide services or products that require access to healthcare information. Examples can include data processing firms, medical equipment providers, law firms, and software vendors.
2. If you work in healthcare, maintaining HIPAA compliance is essential.
Since its introduction, HIPAA regulations have played a key role in streamlining administrative healthcare procedures, increasing efficiency in the healthcare industry, protecting sensitive patient information, and ensuring that workers retain their healthcare insurance even if they lose their jobs. Every healthcare provider must maintain HIPAA compliance at all times or risk substantial fines.
The four key features of HIPAA are as follows:
- Privacy Rule;
- Security Rule;
- Business Associate Agreement (BAA); and
- Breach Notification Rule (also known as the Omnibus Rule).
The Privacy Rule safeguards individuals' health information and makes sure that patients have the right to access their own health records. The Security Rule gives guidelines on how to properly store, protect, and manage electronic protected health information (ePHI). The Breach Notification Rule provides instructions on the correct procedures to follow in the event of a breach of unsecured protected health information (PHI). Business associate agreements help ensure that any business associate of a covered entity will also abide by HIPAA regulations.
3. Failing to comply with HIPAA regulations can be very expensive.
HIPAA enforcement is taken very seriously. Depending on the type of HIPAA violation, provider organizations could be looking at fines up to $1.5 million per year. It's also important to note that a failure to protect patient data can be damaging to patient trust, cause long-term damage to the provider's reputation, and even impact patient care.
4. HIPAA compliance involves technical, physical, and administrative protections.
Keeping compliant with HIPAA regulations involves a broad compliance strategy that will affect every aspect of your organization. You need technical processes to make sure that you encrypt and authenticate ePHI, control and log access and changes to health data, and make sure that users are automatically logged off from the system after accessing EPHI to prevent accidental breaches of data security.
To make sure you physically protect PHI, you'll need a process for controlling and monitoring who can access the data in person as well as managing and tracking all your workstations and devices that can access PHI remotely, such as laptops.
Additionally, you need administration protections in place, such as ensuring that every business associate has signed a BAA, creating and documenting a contingency plan, recording and tracking security incidents, and keeping staff training on HIPAA regulations current.
5. Protected health information (PHI) has a broad definition.
HIPAA is primarily concerned with protecting and managing health information that can be associated with a specific individual (i.e., patient). Protected health information can include a wide range of data that must be carefully handled under HIPAA regulations.
Information that could be considered PHI includes:
- Patient phone numbers and email addresses
- Social security numbers
- Chart numbers
- Health insurance numbers
- Device identifiers and IP addresses
- Biometric information, such as fingerprints or retinal scans
- Full face photographs
- Laboratory results
If information is "de-identified" — for instance, if personal details are removed so that no specific individual could be identified from the information — then it would no longer be considered protected health information and HIPAA regulations would not apply.
6. HIPAA compliance requires you to conduct and document six annual audits.
Maintaining healthcare HIPAA compliance is not a one-and-done process. To keep compliant with HIPAA, you need to make sure that you conduct and document six annual audits:
- Physical site audit
- Audit of all assets and devices
- Security standards audit
- Security risk assessment
- Privacy assessment (for covered entities only, not business associates)
- HITECH Subtitle D audit
If you identify gaps in your HIPAA compliance when you conduct your annual audits, you need to document those deficiencies and create a plan to address them. You should keep all audit documentation for at least the next six years.
7. You must ensure all staff have received HIPAA compliance training.
All staff members working in a healthcare setting must receive annual HIPAA training. You'll need to document staff attendance at this compulsory training. Staff will need to receive security awareness training. You should also make sure that one member of personnel has been designated as the HIPAA compliance and/or security officer.
A key factor in staff training is to make sure that every staff member understands what HIPAA is and why it's important to uphold it.
8. There have been some modifications to HIPAA regulations in 2020.
The U.S. Department of Health and Human Services (HHS) issued a public health emergency declaration in January 2020 as a result of the global COVID-19 pandemic. This declaration has recently been extended to January 2021. During the public health emergency, HHS has issued certain HIPAA waivers to protect specific healthcare providers against penalties for noncompliance with HIPAA regulations in the event that data breaches were made in the interests of patient care. The waivers are also intended to help ensure that all patients with COVID-19 have sufficient access to healthcare during the pandemic.
However, these waivers are in effect only during the public health emergency, which may be declared at an end at any time, and state privacy laws are still in place. This means that any non-compliant behaviors resulting from the pressures created by the COVID-19 pandemic should be rectified as soon as possible.
Also of note for 2020: Earlier this month, the HHS Office for Civil Rights proposed significant changes to the HIPAA Privacy Rule. As Healthcare IT News notes, the goal of the proposed changes is to "… further value-based reimbursement and improve care coordination by enabling greater patient and family access to health data."
9. Remote working can make HIPAA compliance more difficult.
During the pandemic, many employers have decided to permit staff to work from home. This may make it tougher to ensure HIPAA compliance. For instance, staff trained in data security on company-owned workstations may not be familiar with how to maintain security on their own laptops.
Additionally, not every staff member can guarantee patient confidentiality in an at-home setting. For instance, if a healthcare professional is sharing a home office with a family member, patient calls could potentially be overheard.
To best maintain HIPAA compliance even when employees are telecommuting, make sure that you have established security protocols for all work devices being used to access health information and have provided employees with HIPAA compliance training for their home office environment.
10. You need a detailed plan in place.
To effectively manage and maintain HIPAA compliance, you'll need a detailed plan in place or you will run the risk of allowing human error to creep in. HIPAA policies and procedures must be shared and communicated with staff members (patients must also receive a notice of privacy practices, detailing how a provider plans to use and disclose their health information). You will need to make sure your policies and procedures include security policies, including password management, data encryption, email, data backups, and data disposal.
You should also define privacy policies, including how and when patient information may be discussed. HIPAA also requires provider organizations to have a defined plan in the event that a breach occurs, including breach notification procedures and a detailed incident response plan. Review your policies and procedures annually to make sure they address any new developments in your organization or changes in HIPAA regulations.
Give HIPAA Compliance the Attention It Needs
The importance of HIPAA compliance in today's healthcare setting cannot be overstated. Thought HIPAA can be complex, it's crucial to maintaining a safe, secure, and efficient organization. If you'd like to learn more about how Medicus IT, a leading managed services provider that's fluent on HIPAA, helps organizations achieve and maintain their HIPAA compliance, please visit our website.