The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient information. This comprehensive law applies to anyone and everyone who handles protected health information (PHI) in the United States. This includes health plans, health care clearinghouses, certain healthcare service providers (together known as “covered entities”), their vendors, contractors, and subcontractors (together known as “business associates”).
If your organization falls within those categories, there’s critical information of which you should be aware.
Medical services contain lots of highly sensitive personal information: names, bank account numbers, and social security numbers, just to name a few. Because of this, they’re prime targets for cybersecurity hacks. It also means medical breaches are the most expensive, averaging $7.13 million per attack.
The problem is, most companies don’t feel confident in their compliance with HIPAA. In fact, 75% of health organizations admit their infrastructure isn’t prepared to respond to attacks. And it shows: 30% of all large data breaches stem from the medical industry.
The HIPAA Rules help you to do two things: (1) Protecting your patients’ vital information and (2) protecting your company from a data breach.
But HIPAA compliance can be complex for even the most experienced privacy professionals. If your organization manages PII, it’s crucial to embed HIPAA compliance into your privacy program. Here’s how to get started.
The HIPAA Rules
To be HIPAA compliant, you must follow what’s known as the HIPAA rules. HIPAA Rules were issued by the US Department of Health and Human Services (HSS) to implement the original federal regulation passed in 1996. Technology and healthcare have changed completely since then. These rules serve as a way of keeping up with the times. Here’s a complete breakdown of the HIPAA rules:
1 – Privacy Rule
This Rule sets standards for the use and disclosure of PHI by covered entities. The Rule also gives individuals privacy rights to understand and control how their health information is used.
It says that a covered entity may not use or disclose protected health information, except when the Privacy Rule permits or requires or when the data subject or their personal representative authorizes in writing.
2 – Security Rule
This Rule sets standards for the administrative, physical, and technical infrastructure required to safeguard electronic PHI under HIPAA.
According to the Security Rule, it is mandatory for companies with access to electronic PHI to run a regular security risk assessment to ensure reliable PHI protection. It also provides guidelines about security risk analysis and describes the requirements of PHI security.
3 – Enforcement Rule
This Rule covers compliance and investigation provisions, civil money penalties for violations of HIPAA Rules, and procedures for hearings.
Penalty amounts depend on the reasonable diligence exercised by a particular organization. It can range anywhere from
$100 to $50,000 for the first occurrence and go up to $1.5 million for all violations of an identical provision during a calendar year. Omnibus Rule
This Rule modified HIPAA Privacy, Security, and Enforcement Rules by implementing a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
This requires business associates to be HIPAA compliant. It also requires organizations to execute Business Associate Agreements with each vendor. In general, it expands the obligation of physicians and other healthcare professionals regarding PHI protection.
Breach Notification Rule: this Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI.
It states various rules for notifying the individuals and authorities about the breach. This changes depending on how many patients are affected.
How You Can Build HIPAA Compliance into Your Privacy Program
A PHI breach is serious business.
Small human errors can expose your patients’ critical health information and personal patient records to cybercriminals. Financial loss could be the least of your patients’ problems.
Hackers can cause life-threatening damage by changing medical records resulting in misdiagnoses and incorrect treatment.
The severity of these offenses is exactly why HIPAA exists. And as you can imagine, ensuring compliance is a thorough process.
Here are six best practices for building HIPAA compliance into your privacy program:
1 – Conduct Regular Audits
To find out where your organization stands in terms of its compliance program, you need to set the foundation. That’s where your audits are essential. By performing a series of HIPAA audits internally, you’ll achieve two things:
- Build an understanding of HIPAA regulatory standards that should be in place once your compliance program is complete.
- Identify current gaps in your HIPAA compliance, which will help form remediation plans.
While there isn’t a required number of audits to perform, there are guidelines that can be followed to create them. In the eyes of the law, as long as you identified gaps across all the mandatory standards, you’ve done your due diligence.
But don’t let that fool you. These audits are no easy task.
To perform regular and robust audits, use a HIPAA compliance tracking solution to simplify the audit process. An effective one will include pre-built audits you can easily fill out. Otherwise, you’ll be responsible for formulating audits that directly correspond to each of the HIPAA standards.
2 – Address Gaps with a Remediation Plan
Once you wrap up your HIPAA audits, you’ll have a series of standards to address. These are known as gaps in your HIPAA compliance. To fill those gaps, you need to build out remediation plans for each one.
Your remediation plan should devise actionable, organized methods that outline how you will address each gap in question. Each remediation task must identify the team member responsible for executing the changes. It should have a deadline associated with the assignment too.
3 – Perform Vendor Risk Management
The next crucial part of building a HIPAA compliant privacy program is vendor management. HIPAA defines “business associates” (BAs) as any vendors who will encounter PHI while working with you. Some of the more common BAs include:
- Billing companies
- IT firms
- Third-party HR firms
- Electronic health record platforms
- Cloud service providers
- Physical storage providers
- Shredding services
The goal of vendor management due diligence is to ensure your third-party partners have a robust IT security infrastructure in place. This ensures any PHI data they handle on your behalf is secure. To do this effectively, you need to break your vendor management into three parts:
Run audits that cover each of your vendors’ encryption, backup, and cybersecurity infrastructures. This is another area where a HIPAA compliance solution is helpful. Use software with prebuilt vendor audits that are documented and tracked within the system.
Assess and Select
Once you’ve audited each vendor, it’s time to assess which ones you’ll continue to work with moving forward. Vendors with limited or outdated infrastructures are a risk to your organization. This is especially true in a world of ever-increasing data breaches and regulatory governmental enforcement. Choose the third parties you work with wisely.
Extend BAA Agreements
The next step of an effective HIPAA compliance program is to execute business associate agreements (BAA) with each vendor.
Among other things, it must state:
- permitted and required uses and disclosures of PHI by the BA
- the BA will not use or further disclose PHI other than as required by the BAA or by law
- the BA will implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
- the BA will report any unauthorized use or disclosure of PHI including breaches of unsecured PHI
- the BA will make PHI available for the covered entity to satisfy its obligations under HIPAA (e.g., responding to individual requests for copies of their PHI)
It is best to have an attorney or HIPPA subject matter advise the creation of your BAAs. A compliance solution will also include prebuilt BAAs heavily vetted against HIPAA regulatory requirements, as well.
4 – Implement Policies, Procedures & Training
Create policies and procedures that address all relevant HIPAA regulatory standards. These policies and procedures must be tailored to your organization. Don’t use a generic HIPAA policy manual to address regulations. A HIPAA compliance solution provider will help you craft customized policies much more effectively.
These need to be updated at least annually. As your organization adopts new software and technology that manages PHI, your protocols need to include them.
Next, you need to train your team on each policy and procedure. Remember to document these sessions. Require employees to confirm they received training. It must take place annually and during the onboarding of any new employees.
5 – Document Everything
Documentation is the backbone of your compliance program. Each step of your compliance program needs to be thoroughly tracked along with drafts and changes of documentation over time.
Under HIPAA, your organization is required to save all documentation for at least six years from the date it originated or became effective (whichever is later).
The best practice is to keep all documentation in a centralized location with role-based access. Only employees who absolutely need access to compliance documentation should have it.
In the case of a HIPAA violation, your documentation can demonstrate your organization’s good faith effort toward addressing regulatory requirements. Consider it your paper trail safety net. Lack of documentation could result in harsh penalties under the law.
6 – Establish an Incident Management Plan
Humans mess up, errors happen, and cybersecurity issues can slip through the cracks, regardless of how prepared you are. While there is no way to ensure 100% compliance, you can mitigate the damage if you are prepared.
The HIPAA Breach Notification Rule sets specific standards about how you must respond in the event of a data breach:
- Minor Breach: This is a data breach affecting fewer than 500 patients in a single jurisdiction. Once you discover a minor breach, you have 60 days to notify each person affected. You must also report the breach to the HHS Secretary within 60 days before the one-year mark of the breach discovery. The report must be submitted via the HHS Breach Reporting Portal
- Breach Affecting 500 or More People: When a breach impacts 500 or more people, you are required to notify the affected individuals as well as the HHS Secretary within 60 days. If 500 or more residents of a State or jurisdiction are affected, you are also required to tell prominent media outlets serving the State or jurisdiction about the breach.
You must also provide a means for employees and patients to report breaches anonymously. HIPAA replaces emphasis on anonymity to ensure your employees receive no backlash for doing their due diligence.
Conclusion: Ensure Compliance with Automation
HIPAA fines can cost your organization any from $100-$1.5 million per incident.
And that doesn’t even include the reputational loss you’ll pay after the breach occurs. While it’s impossible to avoid breaches altogether, maintaining HIPAA compliance can certainly protect your organization and mitigate its risk exposure.
The best part is automation which makes HIPAA compliance manageable.
OneTrust Privacy is the world’s leading compliance automation tool. Thousands of organizations use OneTrust to streamline their HIPAA compliance through automated assessments, vendor risk management, and privacy training.