What Is HIPAA Compliance?
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a law that was initially focused on helping more Americans gain and keep their health insurance. It also gave the Department of Health and Human Services (HHS) a mandate to set standards for safeguarding protected health information (PHI). The privacy and security portion of HIPAA was significantly expanded with subsequent legislation, including HIPAA Privacy Rule (2000), HIPAA Security Rule (2005), and the HITECH Act (2009).
HIPAA compliance is regulated by the HHS and enforced by the Office for Civil Rights (OCR), which performs audits and can issue penalties for HIPAA noncompliance. The two main objectives of HIPAA compliance are to:
- 1. Provide continuous health insurance coverage for workers who lose or change their job
- 2. Standardize the electronic transmission of administrative and financial transactions, including establishing rules related to security and privacy
Let’s jump in and learn:
What is Protected Health Information (PHI)?
PHI is any information in a medical record created, collected, or transmitted by a covered entity or a business associate that can be used to identify an individual. It includes information, such as a diagnosis or treatment, billing information, and any patient-identifiable information, held by a health insurance company.
This information can be held in any form, including digital, paper, or oral (e.g., conversations between doctors and nurses about treatment). PHI covers an individual’s past, present, or future physical or mental health condition.
HIPAA List of Protected Health Information (PHI)
There are eighteen different forms of PHI:
- 1. Name
- 2. Address
- 3. Dates
- 4. Telephone number
- 5. Fax number
- 6. Email address
- 7. Social Security number
- 8. Medical record number
- 9. Health plan beneficiary number
- 10. Account numbers
- 11. Certificate / license number
- 12. Vehicle identifier
- 13. Device identifier / serial number
- 14. Web URL
- 15. IP address
- 16. Biometric identifier
- 17. Full-face photo
- 18. Any other unique identifying numbers, characteristics, or codes
What Is ePHI? ePHI is Electronic Protected Health Information. It includes all individually identifiable health information that is created, maintained, or transmitted electronically, including via desktop, laptop, tablet, mobile phone, wearable, or digital scribe technology. |
Who Must Comply with HIPAA?
Two groups must comply with HIPAA— covered entities and business associates (BA).
Covered Entity According to HIPAA
HIPAA defines a covered entity as any individual, organization, or corporation that creates, collects, or transmits PHI as part of treatment, payment, and operations when providing healthcare. There are three types of covered entities.
- Healthcare providers
- Health plans
- Healthcare clearinghouse
Examples of covered entities are:
- Assisted living facility
- Doctor’s office (e.g., dental offices, clinics, psychologists, chiropractors)
- Government programs that pay for healthcare (e.g., Medicare, VA healthcare)
- Home healthcare agency
- Hospital
- Insurance companies
- Pharmacy
Business Associate (BA) According to HIPAA
A BA is an organization, or individual, that performs work or activities that have access to PHI on behalf of a covered entity. Covered entities must procure HIPAA BA agreements (BAA), a contract between a HIPAA-covered entity and a HIPAA BA, that assures protection of PHI per HIPAA guidelines.
Examples of business associates are:
- Answering services
- Billing companies
- EHR platforms
- Email hosting services
- Law firms
- Medical transcription services
- Practice management firms
HIPAA Rules
HIPAA Enforcement Rule
The HIPAA Enforcement Rule spells out investigations, penalties, and procedures for hearings. This applies when an organization fails to follow the HIPAA Privacy, Security, and Breach Notification Rules.
HIPAA Penalties
The penalties for HIPAA-related data breaches are based on the perceived level of negligence. A tier-based system is used to assess penalties according to the perceived level of negligence that led to the breach.
- First Tier
The entity did not know and could not have reasonably known of the breach.
$100 to $50,000 per incident, up to $25,000 per year - Second Tier
By exercising reasonable diligence, the entity knew or would have known of the violation, though they did not act with willful neglect.
$1,000 to $50,000 per incident, up to $100,000 per year - Third Tier
The entity “acted with willful neglect,” but corrected the problems within 30-days of the breach.
$10,000 - $50,000 per incident, up to $250,000 per year - Fourth Tier
The entity acted with willful neglect and failed to make a timely correction.
$50,000 per incident, up to $1.5 million per year
HIPAA Privacy Rule
The HIPAA Privacy Rule protects PHI by regulating its use and disclosure and gives individuals the right to determine and restrict access to certain health information. The HIPAA Privacy Rule applies to organizations that are considered covered entities. It also requires covered entities that work with a HIPAA business associate to have a contract that requires specific safeguards on the PHI that the BA uses or discloses.
HIPAA Security Rule
The HIPAA Security Rule establishes standards for securing patient data. The Rule requires the use of safeguards to ensure the secure passage, maintenance, and reception of PHI.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and business associates to notify patients when there is a breach of unsecured PHI. If a breach affects more than 500 patients, the entities must also notify the media and public.
What Is Required for HIPAA Compliance?
HIPAA security and privacy rules dictate what is required for HIPAA compliance.
HIPAA Security Rule
The HIPAA Security Rule requires that appropriate administrative, physical, and technical safeguards be in place to ensure PHI’s confidentiality, integrity, and security.
HIPAA Technical Safeguards
There are five standards listed under the Technical Safeguards section.
- 1. Access control
- 2. Audit controls
- 3. Authentication
- 4. Integrity
- 5. Transmission security
HIPAA Physical Safeguards
There are four standards in the Physical Safeguards section.
- 1. Device and media controls
- 2. Facility access controls
- 3. Workstation security
- 4. Workstation use
HIPAA Administrative Safeguards
There are nine standards under the Administrative Safeguards section.
- 1. Security management process
- 2. Assigned security responsibility
- 3. Workforce security
- 4. Information access management
- 5. Security awareness and training
- 6. Security incident procedures
- 7. Contingency plan
- 8. Evaluation
- 9. Business associate contracts and other arrangements
HIPAA Privacy Rule
Covered entities must provide appropriate safeguards to protect the privacy of personal health information, as noted above. Patients must also be able to examine and obtain a copy of their health records and request corrections.
Business associates are required to do the following:
- Not allow any impermissible uses or disclosures of PHI
- Provide breach notification to the covered entity
- Provide either patients or the covered entity access to PHI
- Disclose PHI to the Secretary of HHS, if compelled to do so
- Provide an accounting of disclosures
- Comply with the requirements of the HIPAA Security Rule
Elements of Effective HIPAA Compliance
There are many rules and protocols required to achieve HIPAA compliance. Following are several of the key elements of an effective HIPAA compliance program.
- Assign someone as the privacy officer to oversee the compliance program across the organization
- Conduct a security risk analysis each year
- Develop and have systems ready to respond to a data breach quickly
- Embed privacy policies and security procedures into all workflows that create, use, or store PHI
- Enforce data access policies based on the principle of least privilege
- Ensure that proper business associate agreements are in place
- Implement administrative, physical, and technical safeguards
- Mandate ongoing training programs for everyone who engages with PHI
- Understand the core rules and requirements
HIPAA Compliance—a HIPAA-Potamus
When considering “what is HIPAA compliance,” think big; this is one of the larger, more far-reaching regulations. HIPAA regulations are extensive, complex, and loaded with consequences.
Achieving and maintaining HIPAA compliance is not easy, but it is attainable. By understanding what HIPAA compliance is and what it entails, organizations can successfully navigate this seemingly unwieldy regulation.
And, in the end, they can be the better for it—improved systems and protection of personal information are both necessary to meet other compliance requirements. Plus, patients are happy to know that their private information is safe from unauthorized access.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 20th December, 2021