Skip to main content

On-demand webinar coming soon...

Blog

HIPAA compliance: Building a bridge to a robust privacy program

March 2, 2021

Orange and yellow gradient

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient information. This comprehensive law applies to anyone and everyone who handles protected health information (PHI) in the United States. This includes health plans, health care clearinghouses, certain healthcare service providers (together known as “covered entities”), their vendors, contractors, and subcontractors (together known as “business associates”).

If your organization falls within those categories, there’s critical information of which you should be aware.

Medical services contain lots of highly sensitive personal information: names, bank account numbers, and social security numbers, just to name a few. Because of this, they’re prime targets for cybersecurity hacks. It also means medical breaches are the most expensive, averaging $7.13 million per attack.

The problem is, most companies don’t feel confident in their compliance with HIPAA. In fact, 75% of health organizations admit their infrastructure isn’t prepared to respond to attacks. And it shows: 30% of all large data breaches stem from the medical industry.

The HIPAA Rules help you to do two things: (1) Protecting your patients’ vital information and (2) protecting your company from a data breach.

But HIPAA compliance can be complex for even the most experienced privacy professionals. If your organization manages PII, it’s crucial to embed HIPAA compliance into your privacy program. Here’s how to get started.

The HIPAA Rules

To be HIPAA compliant, you must follow what’s known as the HIPAA rules. HIPAA Rules were issued by the US Department of Health and Human Services (HSS) to implement the original federal regulation passed in 1996. Technology and healthcare have changed completely since then. These rules serve as a way of keeping up with the times. Here’s a complete breakdown of the HIPAA rules:

1 . Privacy Rule

This Rule sets standards for the use and disclosure of PHI by covered entities. The Rule also gives individuals privacy rights to understand and control how their health information is used.

It says that a covered entity may not use or disclose protected health information, except when the Privacy Rule permits or requires or when the data subject or their personal representative authorizes in writing.  

2. Security Rule

This Rule sets standards for the administrative, physical, and technical infrastructure required to safeguard electronic PHI under HIPAA.

According to the Security Rule, it is mandatory for companies with access to electronic PHI to run a regular security risk assessment to ensure reliable PHI protection. It also provides guidelines about security risk analysis and describes the requirements of PHI security.

3. Enforcement Rule

This Rule covers compliance and investigation provisions, civil money penalties for violations of HIPAA Rules, and procedures for hearings.

Penalty amounts depend on the reasonable diligence exercised by a particular organization. It can range anywhere from

$100 to $50,000 for the first occurrence and go up to $1.5 million for all violations of an identical provision during a calendar year. Omnibus Rule

This Rule modified HIPAA Privacy, Security, and Enforcement Rules by implementing a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

This requires business associates to be HIPAA compliant. It also requires organizations to execute Business Associate Agreements with each vendor. In general, it expands the obligation of physicians and other healthcare professionals regarding PHI protection.

Breach Notification Rule: this Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI.

It states various rules for notifying the individuals and authorities about the breach. This changes depending on how many patients are affected.

How You Can Build HIPAA Compliance into Your Privacy Program

A PHI breach is serious business.

Small human errors can expose your patients’ critical health information and personal patient records to cybercriminals. Financial loss could be the least of your patients’ problems.

Hackers can cause life-threatening damage by changing medical records resulting in misdiagnoses and incorrect treatment.

The severity of these offenses is exactly why HIPAA exists. And as you can imagine, ensuring compliance is a thorough process.

Here are six best practices for building HIPAA compliance into your privacy program:

1. Conduct Regular Audits 

To find out where your organization stands in terms of its compliance program, you need to set the foundation. That’s where your audits are essential. By performing a series of HIPAA audits internally, you’ll achieve two things:

  • Build an understanding of HIPAA regulatory standards that should be in place once your compliance program is complete.
  • Identify current gaps in your HIPAA compliance, which will help form remediation plans.

While there isn’t a required number of audits to perform, there are guidelines that can be followed to create them. In the eyes of the law, as long as you identified gaps across all the mandatory standards, you’ve done your due diligence.

But don’t let that fool you. These audits are no easy task.

To perform regular and robust audits, use a HIPAA compliance tracking solution to simplify the audit process. An effective one will include pre-built audits you can easily fill out. Otherwise, you’ll be responsible for formulating audits that directly correspond to each of the HIPAA standards.

2. Address Gaps with a Remediation Plan 

Once you wrap up your HIPAA audits, you’ll have a series of standards to address. These are known as gaps in your HIPAA compliance. To fill those gaps, you need to build out remediation plans for each one.

Your remediation plan should devise actionable, organized methods that outline how you will address each gap in question. Each remediation task must identify the team member responsible for executing the changes. It should have a deadline associated with the assignment too. 

3. Perform Vendor Risk Management 

The next crucial part of building a HIPAA compliant privacy program is vendor management. HIPAA defines “business associates” (BAs) as any vendors who will encounter PHI while working with you. Some of the more common BAs include:

  • Billing companies
  • IT firms
  • Third-party HR firms
  • Attorneys
  • Electronic health record platforms
  • Cloud service providers
  • Physical storage providers
  • Shredding services

The goal of vendor management due diligence is to ensure your third-party partners have a robust IT security infrastructure in place. This ensures any PHI data they handle on your behalf is secure. To do this effectively, you need to break your vendor management into three parts:

Audit

Run audits that cover each of your vendors’ encryption, backup, and cybersecurity infrastructures. This is another area where a HIPAA compliance solution is helpful. Use software with prebuilt vendor audits that are documented and tracked within the system.

Assess and Select

Once you’ve audited each vendor, it’s time to assess which ones you’ll continue to work with moving forward. Vendors with limited or outdated infrastructures are a risk to your organization. This is especially true in a world of ever-increasing data breaches and regulatory governmental enforcement. Choose the third parties you work with wisely.

Extend BAA Agreements

The next step of an effective HIPAA compliance program is to execute business associate agreements (BAA) with each vendor.

Among other things, it must state:

  • permitted and required uses and disclosures of PHI by the BA
  • the BA will not use or further disclose PHI other than as required by the BAA or by law
  • the BA will implement appropriate safeguards to prevent unauthorized use or disclosure of PHI 
  • the BA will report any unauthorized use or disclosure of PHI including breaches of unsecured PHI  
  • the BA will make PHI available for the covered entity to satisfy its obligations under HIPAA (e.g., responding to individual requests for copies of their PHI) 

It is best to have an attorney or HIPPA subject matter advise the creation of your BAAs. A compliance solution will also include prebuilt BAAs heavily vetted against HIPAA regulatory requirements, as well. 

4 – Implement Policies, Procedures & Training 

Create policies and procedures that address all relevant HIPAA regulatory standards. These policies and procedures must be tailored to your organization. Don’t use a generic HIPAA policy manual to address regulations. A HIPAA compliance solution provider will help you craft customized policies much more effectively.

These need to be updated at least annually. As your organization adopts new software and technology that manages PHI, your protocols need to include them.

Next, you need to train your team on each policy and procedure. Remember to document these sessions. Require employees to confirm they received training. It must take place annually and during the onboarding of any new employees. 

5 – Document Everything 

Documentation is the backbone of your compliance program. Each step of your compliance program needs to be thoroughly tracked along with drafts and changes of documentation over time.  

Under HIPAA, your organization is required to save all documentation for at least six years from the date it originated or became effective (whichever is later). 

The best practice is to keep all documentation in a centralized location with role-based access. Only employees who absolutely need access to compliance documentation should have it. 

In the case of a HIPAA violation, your documentation can demonstrate your organization’s good faith effort toward addressing regulatory requirements. Consider it your paper trail safety net. Lack of documentation could result in harsh penalties under the law. 

 6 – Establish an Incident Management Plan 

Humans mess up, errors happen, and cybersecurity issues can slip through the cracks, regardless of how prepared you are. While there is no way to ensure 100% compliance, you can mitigate the damage if you are prepared. 

The HIPAA Breach Notification Rule sets specific standards about how you must respond in the event of a data breach: 

  • Minor Breach: This is a data breach affecting fewer than 500 patients in a single jurisdiction. Once you discover a minor breach, you have 60 days to notify each person affected. You must also report the breach to the HHS Secretary within 60 days before the one-year mark of the breach discovery. The report must be submitted via the HHS Breach Reporting Portal 
  • Breach Affecting 500 or More People: When a breach impacts 500 or more people, you are required to notify the affected individuals as well as the HHS Secretary within 60 days. If 500 or more residents of a State or jurisdiction are affected, you are also required to tell prominent media outlets serving the State or jurisdiction about the breach.

You must also provide a means for employees and patients to report breaches anonymously. HIPAA replaces emphasis on anonymity to ensure your employees receive no backlash for doing their due diligence.

Conclusion: Ensure Compliance with Automation 

HIPAA fines can cost your organization any from $100-$1.5 million per incident. 

And that doesn’t even include the reputational loss you’ll pay after the breach occurs. While it’s impossible to avoid breaches altogether, maintaining HIPAA compliance can certainly protect your organization and mitigate its risk exposure.

The best part is automation which makes HIPAA compliance manageable.

OneTrust Privacy is the world’s leading compliance automation tool. Thousands of organizations use OneTrust to streamline their HIPAA compliance through automated assessments, vendor risk management, and privacy training.

Reach out to have a team member walk you through it or try it free right now.


You may also like

Webinar

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: New Jersey and New Hampshire join the US privacy landscape

oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.

February 01, 2024

Learn more

Webinar

Privacy Automation

Embedding Privacy by Design through PIA Automation

Join us for a webinar on Embedding Privacy by Design through PIA Automation.

January 11, 2024

Learn more

Webinar

Privacy Management

Automating fulfillment of subject rights requests in the US

Learn how Privacy Rights Automation helps to fully automate privacy rights requests. 

December 06, 2023

Learn more

Webinar

Privacy Management

December's deadline: Ensuring compliance with Utah's privacy regulation

Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.

November 14, 2023

Learn more

Webinar

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Learn more

Regulation Book

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Learn more

Blog

Privacy Management

The road to 50 states: Delaware and Oregon join the US privacy landscape

Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.

August 10, 2023

Learn more

Resource Kit

Privacy Management

EU-US Data Privacy Framework resource kit

Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.

July 20, 2023

Learn more

Resource Kit

Privacy & Data Governance

US privacy resource kit

Download our US privacy resource kit designed to access a range of materials to help you understand how the US privacy landscape is evolving.

July 13, 2023

Learn more

Webinar

Privacy Management

Now in effect: Colorado and Connecticut privacy laws

In this free webinar, our privacy experts delve into the new Colorado and Connecticut privacy laws and how they differ from other US state regulations.

July 12, 2023

Learn more

Webinar

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more

Infographic

Consent & Preferences

Navigating Google's new CMP requirements

Adapt to Google's June 2023 CMP requirements with this infographic and confidently engage your audience while staying compliant.

June 20, 2023

Learn more

Webinar

Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences for marketers

Download this eBook and learn how marketers can apply consent and preference principles to build a relationship with their audience built on trust.

June 02, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more

Webinar

Privacy Management

Understanding Washington's My Health My Data Act

The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.

May 18, 2023

Learn more

Webinar

Privacy & Data Governance

Operationalizing the Iowa Consumer Data Protection Act

Join the Privacy experts at OneTrust for an update on the new law and learn key requirements of Iowa’s new privacy law and more.

May 16, 2023

Learn more

White Paper

AI Governance

Navigating responsible AI: A privacy professional's guide

Download our white paper and learn how privacy teams help organizations establish and implement polices that ensure AI applications are responsible and ethical. 

May 03, 2023

Learn more

Blog

Privacy & Data Governance

Comparing US privacy law exemptions infographic

Learn how to navigate the new US privacy law exemptions and see how they compare.

May 01, 2023

Learn more

Webinar

Privacy & Data Governance

Automate subject rights requests for compliance with US state privacy laws

Join this interactive webinar to learn how OneTrust Privacy Rights Automation helps you to fully automate privacy rights requests for your organization.

April 19, 2023

Learn more

Webinar

Privacy & Data Governance

Iowa joins US privacy landscape with a new law

OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.

April 10, 2023

Learn more

Webinar

Privacy & Data Governance

USA biometric laws: Key considerations and emerging trends

Biometric laws are emerging, and companies must ensure compliance to avoid hefty fines. Join the OneTrust DataGuidance panel of experts to learn more.

April 06, 2023 1 min read

Learn more

Infographic

Privacy Management

US privacy in 2023: Top 3 compliance priorities

Businesses at different stages of privacy maturity will need to approach US privacy compliance in different ways. Download the infographic to learn more.

March 08, 2023

Learn more

Webinar

Privacy & Data Governance

Assess privacy risk for compliance with US state privacy laws

Join this US Privacy Demo Series webinar to see a live demo of the OneTrust privacy risk or data protection assessments (PIA's) automation solution.

March 01, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences in the healthcare sector

Download the guide to learn more about how to use consent and preferences to elevate patient and customer experiences in the healthcare sector.

February 15, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Employee rights fulfilment

Learn the steps you can take to boost employee trust in compliance with US Privacy Laws in our US Privacy Masterclass on Employee Rights Fulfilment.

February 07, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Consumer rights & opt-outs

Join us in our US Privacy Masterclass as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

February 07, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - risk and DPIAs

Join us in our US Privacy Masterclass on Risk and DPIAs to understand the operational components for risk assessments/data protection assessments.

February 06, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - retention & minimization

Our US Privacy Masterclass on Retention & Minimization will help you understand data policy requirements across US Privacy Laws.

February 06, 2023

Learn more

Webinar

Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more

Checklist

Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to US opt-out requirements

Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.

January 23, 2023

Learn more

eBook

Privacy & Data Governance

The ultimate guide to US privacy

Learn more about the three priorities for managing US privacy requirements, including addressing the most visible aspects of US privacy compliance.

December 12, 2022

Learn more

Webinar

Privacy Management

Expanded US consumer rights: What’s new and what should you do?

Join our experts to understand the operational impact of these newly-expanded US consumer rights and how to automate consumer rights request fulfillment.

August 25, 2022

Learn more

Webinar

Privacy Management

Privacy risk assessments in the US: Why, when, and what?

In this webinar, OneTrust experts discuss requirements for conducting PIAs: why they exist, when you should do them, and what they should include.

August 24, 2022

Learn more

Webinar

Privacy & Data Governance

A US federal privacy bill is on the horizon: get to know the ADPPA webinar

In this session, legal experts Michelle Schaap and Andy Lee are joined by OneTrust DataGuidance to provide an overview of what the ADPPA entails.

August 17, 2022

Learn more

Webinar

Privacy Management

Establishing and enforcing retention policies

Attend our webinar, "Establishing and enforcing retention policies," part of the US Privacy Laws Masterclass Series.

July 27, 2022

Learn more

eBook

Privacy & Data Governance

How to comply with the CCPA opt-out requirement

Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.

July 22, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more

Webinar

Privacy Management

Utah and Connecticut: Latest additions to the US Privacy landscape

Watch our webinars on the latest privacy laws from Utah and Connecticut and what you need to know to prepare in 2023.

June 17, 2022

Learn more

Webinar

Privacy & Data Governance

US privacy laws & regulations: answering your biggest questions

Join us for a Q&A on the several US state laws going in effect in 2023.

June 16, 2022

Learn more

eBook

Privacy & Data Governance

Comparing US state privacy laws

Download this eBook and explore the key areas of US state privacy laws and how they compare. 

June 15, 2022

Learn more

Resource Kit

Privacy Management

Your US privacy masterclass resource kit

These resources provide key information on US privacy law through blogs, webinars, and eBooks.

April 26, 2022

Learn more

Checklist

Privacy & Data Governance

6 step checklist for compliance with US privacy laws

Download our six step checklist for US privacy laws and ensure that your company remains compliant in 2023.

March 29, 2022

Learn more

Webinar

Privacy & Data Governance

Utah joins the US Privacy landscape with new comprehensive law

Join us for an overview of Utah's Consumer Privacy Act (UCPA) and its impact on your organization.

March 25, 2022

Learn more

Webinar

Privacy Management

Overview: Understanding the trio of US privacy laws

Attend our webinar, to better understand privacy laws in the US.

March 23, 2022

Learn more

Webinar

Privacy Management

New to US privacy: Privacy impact assessments

Watch our webinar as we discuss privacy impact assessments and how they relate to US privacy laws.

March 23, 2022

Learn more

Webinar

Privacy Management

Navigating opt-out of sale vs. share

Watch our US Privacy Law masterclass to  learn about opt-out of sales and share requirements and best practices for approaching compliance.

March 23, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 3

Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.

February 02, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 2

Join us for an overview of US privacy laws and strategies for dealing with compliance.

January 11, 2022

Learn more

Webinar

Privacy Management

[Part 1] US Privacy Series: Establishing a foundation for compliance

In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance. 

December 21, 2021

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

eBook

Privacy & Data Governance

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more

Webinar

US Privacy Masterclass: Countdown to 2023 compliance

Join this US Privacy Masterclass series as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

Learn more

Webinar

Privacy Management

US Privacy Masterclass 2022

Watch the OneTrust US Privacy Masterclass series and gain insight on the major US privacy law and best practices.

Learn more