How to Become HIPAA Compliant
When working in healthcare, in any capacity, it is important to understand your obligation to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA law was created to apply to a variety of healthcare entities, including doctor’s offices, hospitals, HIPAA business associates (BAs), and Managed Service Providers (MSPs) with healthcare clients. Understanding your obligation to HIPAA can be confusing, as such the following will instruct you on how to become HIPAA compliant.
What is HIPAA?
Becoming HIPAA compliant requires organizations working in healthcare to understand what HIPAA is. HIPAA consists of a set of rules that organizations working in healthcare are required to adhere to. HIPAA was enacted to ensure that patient’s protected health information (PHI) is secure.
HIPAA Security Rule: mandates that organizations working in healthcare must ensure the confidentiality, integrity, and availability of PHI. It requires organizations to implement security measures to secure PHI in the form of administratie, physical, and technical safeguards.
- Administrative: are policies and procedures that are customized to apply directly to each organization’s business processes. Policies and procedures must be reviewed annually, and employees are required to be trained annually on policies and procedures as well as HIPAA requirements.
- Physical: pertain to the security measures for an organization’s physical location. Access to an organization’s facility, as well as workstations and devices, must be limited to individuals that require access based on their job function. Physical safeguards requirements also dictate the measures for proper removal and disposal of PHI.
- Technical: requires organizations to have protection in place such as encryption, firewalls, and data backup to secure PHI. Technical safeguards must include the following:
- Access Controls: organizations are required to adhere to the “minimum necessary” standard when accessing PHI, employees must only access the PHI necessary to perform their job function. To implement access controls employees should be given unique login credentials, enabling administrators to delegate different levels of access to data based on employees’ job functions,
- Audit Controls: requires organizations to keep an access log that records access to PHI. This allows organizations to determine normal access patterns for employees, enabling inside threats to PHI to be quickly identified.
- Integrity Controls: are measures that ensure that PHI data is not destroyed or altered without proper authorization.
- Transmission Security: ensure that data in transit, such as data sent via email, is not accessed by unauthorized individuals.
Although HIPAA does not layout specific security measures that need to be implemented, it requires organizations to consider the following:
- Their size, complexity, and capabilities;
- Their technical hardware, and software infrastructure;
- The costs of security measures; and
- The likelihood and possible impact of potential risks to ePHI.
HIPAA Privacy Rule: pertains to patients’ rights to their medical information, and proper use and disclosure of PHI, this Rule does not apply to business associates (BAs).
- Notice of Privacy Practices: is given to the patient upon their first visit to a covered entity (CE). It describes how CEs can use and disclose patient’s PHI and patient’s rights in respect to their PHI. Patient’s rights include the following:
-
- The right to request restrictions on certain uses and disclosures of PHI.
- The right to receive confidential communications of PHI, as permitted by law.
- The right to inspect and copy PHI.
- The right to amend PHI, as permitted by law.
- The right to receive an accounting of disclosures of PHI.
- The right of an individual to obtain a paper copy of the notice, upon request.
- The right to complain to the covered entity and to the Secretary of Health and Human Services if an individual believes his or her privacy rights have been violated.
Under the Privacy Rule, CEs cannot charge an excessive amount for patients requesting their medical records, and records must be provided in a timely manner.
Breach Notification Rule: healthcare organizations that experience a breach are required to report the incident. Breach notification must be provided in writing to affected individuals.
- Meaningful breach: affects more than 500 individuals and must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), affected individuals, and the media. A meaningful breach must be reported within 60 days of discovering the incident.
- Minor breach: affects less than 500 individuals and must be reported to the HHS OCR and affected individuals. A minor breach must be reported by the end of the calendar year.
Omnibus Final Rule: created amendments to the existing HIPAA Security, Privacy, and Breach Notification Rules. Prior to the addition of the Omnibus Rule, only meaningful breaches were required to be reported. It also strengthened HIPAA requirements for business associates (BAs) holding them to the same HIPAA compliance standards as CEs.
How to Become HIPAA Compliant with an Effective Compliance Program
Becoming HIPAA compliant is not an easy fete, however with an effective HIPAA compliance program, organizations working in healthcare can be confident that they are covered in the event of a breach and subsequent HIPAA audit,
Audits: HIPAA law requires organizations to conduct self-audits to determine if their security practices are adequately protecting PHI. Covered entities are required to perform six audits, while business associates must conduct five. All audits must be completed annually to maintain an effective HIPAA compliance program. The required audits are as follows:
- IT Risk Analysis Questionnaire: is meant to create a standard device installation and setup process across an entire organization.
- Security Standards: ensures that an organization’s security policies are in line with HIPAA requirements.
- HITECH Subtitle D: ensures that an organization has proper documentation and protocols in relation to Breach Notification.
- Asset and Device: is an itemized inventory of devices that contain ePHI. The device and asset list includes who uses the device and how an organization is protecting the device.
- Physical Site: each physical location must be assessed to determine if there are measures protecting PHI such as locks or alarm systems.
- Privacy Assessment (not required for BAs): assesses an organization’s privacy policies to ensure that PHI is used and disclosed in accordance with HIPAA.
Gap identification and remediation: completing self-audits allows organizations to determine their gaps in protecting PHI. A remediation plan is meant to address those gaps by creating a plan to fix issues. Remediation plans must be documented, including dates in which remediation efforts will be implemented.
Policies, procedures, and training: policies and procedures must be created for an organization’s specific needs. An old or bought employee manual will not suffice when it comes to HIPAA compliance. An effective compliance program includes policies and procedures created for a specific organization. In addition, they must be updated regularly to fit an organization’s current operating model.
Employee attestation and tracking: an organization is not HIPAA compliant if they don’t document their efforts. Organization’s must have a way to prove that employees have gone through HIPAA training. Employee attestation is when an employee reads through an organization’s policies, procedures, and training material and legally confirms that they have read and understood all of the materials.
Business associate management: organizations working in healthcare must vet their vendors and secure business associate agreements (BAAs). A BAA must be executed before PHI can be shared between the parties. A BAA also ensures that each party is HIPAA compliant. A BAA limits the liability for both parties involved as it says that parties are accountable for themselves, meaning that in the event of a breach, only the responsible party will be held accountable. However, organizations that don’t properly vet their vendors will also be held accountable if a breach occurs. BAAs must be reviewed annually to incorporate any changes in the nature of an organization’s relationship with the vendor.
Incident management: in the event of a data breach, healthcare organizations and the vendors that service them are required to report the incident. Employees must be able to report breaches anonymously.