IDC Names Securiti a Worldwide Leader in Data PrivacyView
One of the pillars of legal compliance and healthcare cybersecurity is the United States legislation known as the Health Insurance Portability and Accountability Act (HIPAA). It is intended to safeguard the privacy of people's medical information and health records.
On August 21, 1996, President Bill Clinton signed the legislation. To protect private and sensitive patient data, healthcare organizations, including hospitals, insurance providers, and health plan providers, must all adhere to a HIPAA compliance checklist.
Since its enactment, the law has gained widespread recognition, particularly in the wake of numerous health data breaches resulting from cyber attacks and ransomware attacks targeting health insurers and providers in recent years. These attacks have resulted in substantial losses, inflicting billions of dollars in damages on affected companies.
Between 2009 and 2021, 4,419 healthcare data breaches involving 500 or more records have taken place. This has resulted in millions of healthcare records being lost, stolen, exposed, or improperly disclosed.
HIPAA applies to covered entities that can be classified into four main categories, i.e. health plans, health care providers, health care clearinghouses, and business associates.
These include Individual or group plans that provide or pay the cost of medical care. The health plans may include the following:
These individuals or entities who electronically transmit health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which the US Department of Health and Human Services (HHS) has established standards under the HIPAA Transactions Rule. The health care providers include but are not limited to doctors, psychologists, dentists, clinics, pharmacies, nursing homes, etc.
Entities that process nonstandard information they receive from another entity into a standard format or data content, or vice versa. Healthcare clearinghouses may include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
A ‘business associates’ refers to an individual or entity that performs certain functions on behalf of a covered entity that entails the use or disclosure of personal health information (PHI).
HIPAA compliance refers to the rules and regulations outlined in the law, which governs the privacy and security of PHI in the United States. Covered entities and their business associates are required to implement various safeguards and measures to PHI.
It takes a combination of internal procedures, the appropriate technology, and deliberate external collaborations to meet all HIPAA regulations. To make sure your company complies with HIPAA rules for the privacy and security of PHI, it is advised to carefully review the HIPAA compliance checklist.
The Privacy Rule defines when and how an authorized staff can access PHI. This Rule outlines the national standard for the protection of PHI and individually identifiable health information collected or shared by a covered entity or its business associate through any medium.
It also regulates the use and disclosure of PHI. However, covered entities may disclose the PHI of an individual if its use or disclosure is permitted under the Privacy Rule or the data subject has authorized the use and disclosure of such information in writing.
It is mandatory for covered entities to disclose the PHI of individuals in these two situations:
Covered entities are allowed to use or disclose the PHI of an individual without his consent in the following cases:
Under this principle, the covered entities must take reasonable measures to use, disclose, or request only the minimum amount of PHI required to fulfill the intended purpose. Therefore, covered entities shall use, disclose, or request the entire medical record unless it specifically justifies the purpose of the whole medical record. The following situations are exempted from the minimum necessary principle:
Apart from the above-mentioned requirements, covered entities shall comply with the following obligations:
Covered entities for internal purposes are required to develop policies and procedures to provide only the necessary access to their members based on their specific roles. These policies shall identify the individuals or classes of individuals in the workforce who need access to PHI to carry out their duties.
Covered entities are also required to implement policies and procedures for routine, recurring disclosures or requests for disclosures that limit the disclosure to reasonably necessary information to achieve the intended purpose. On the other hand, for non-routine, non-recurring disclosures or requests for disclosures, the covered entities must undertake an individual review of each disclosure to limit the PHI disclosed to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
Covered entities shall designate a privacy officer responsible for developing policies and procedures in accordance with the law and a contact person who will be responsible for receiving complaints and providing information to individuals about the privacy practices of an organization.
Covered entities shall arrange for their staff members about the organization’s privacy practices and apply appropriate sanctions against staff members in case of non-compliance.
The covered entities are required to maintain, until six years after the date of their creation or last effective date, their privacy policies and procedures, their privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Covered entities are obliged to provide a privacy notice to the individuals about the organization’s privacy policies. The notice shall also contain policies about the use and disclosure of PHI. It shall also inform the individual about his right to complain to HHS and covered entities in case of any violation of his privacy rights.
In case of any inaccurate or incomplete information, the individual has the right to amend that information in the designated record of the covered entity.
The individuals have the right to an accounting of the disclosures of PHI by covered entities or their business associates. The maximum period for disclosure accounting is six years preceding the accounting request.
The individuals have the right to restrict the use or disclosure of their PHI for treatment, payment, or health care operations, or disclosure to notify family members about the individuals’ health. However, covered entities are under no obligation to entertain the request.
The HIPAA Security Rule establishes national standards to protect the accuracy of Electronic Protected Health Information(ePHI) and guarantee their confidentiality and accessibility. HIPAA Security Rules consist of technical safeguards, physical safeguards, and administrative safeguards concerning ePHI.
The Security Rule requires the covered entities to perform risk analysis as part of their security management processes, which includes, but is not limited to, the following activities:
Through an ongoing risk analysis process, the covered entities must regularly review their records to track access to e-PHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place, and regularly reevaluate potential risks to e-PHI.
The technology utilized to safeguard ePHI and provide access to the data is known as technical safeguards. The only requirement is that once ePHI leaves an organization's internal firewalled servers, it must be encrypted to National Institute of Standards and Technology (NIST) standards, whether at rest or in transit. This is done to ensure that any compromise of private patient information renders the information useless. The technical safeguards under the Security Rule may include:
No matter where the ePHI is located, the Physical Safeguards concentrate on physical access. ePHI may be kept on servers housed inside the HIPAA-Covered Entity's building, in a remote data center, or in the cloud. They also prescribe how workstations and mobile devices should be safeguarded against unwanted access. The physical safeguards under the Security Rule include:
The Administrative Safeguards are the rules and processes that bring the Privacy and Security Rules together. They are the critical components of a HIPAA compliance checklist.
The HIPAA Breach Notification Rule requires covered entities and their business associates to inform affected persons, the Secretary, and, in some cases, the media when they incur a breach of PHI. The HIPAA Breach Notification Rule mandates explicitly:
If a PHI breach is discovered, covered entities are required to notify the affected individuals. The individual notice shall be provided in written form by first-class mail or, alternatively, by email if the affected individual has agreed to receive such notices electronically. It shall be provided immediately and not later than 60 days following the discovery of a breach. The notice shall include the following:
The responsible covered entities are required to notify well-known media outlets serving the state or jurisdiction if it is determined that the breach affected more than 500 citizens of the state or jurisdiction. It shall be served within 60 days following the discovery of a breach and shall contain the same details as required for the individual notice.
A PHI breach must be reported to the Secretary of HHS by covered entities. The Secretary can either be informed by visiting the HHS website or submitting an electronic breach report form. If a breach affects 500 or more individuals, covered entities shall inform the Secretary within 60 days following the discovery of a breach. If a breach affects less than 500 individuals, covered entities may notify the Secretary on an annual basis.
If a breach occurs by the end of a business associate, it shall notify the covered entity immediately and not later than 60 days following the discovery of a breach. The business associate shall assist the covered entity in identifying the affected individuals along with other information that is to be provided in a breach notice.
The HIPAA Omnibus Rule was created to cover several topics left out by earlier revisions to the HIPAA law. Definitions were changed, policies and procedures were made more transparent, and the HIPAA compliance checklist was expanded to include business associates and their subcontractors. The Omnibus Rule improves HIPAA rules in the following areas:
To be HIPAA compliant with the adoption of the HIPAA Omnibus Rule, covered entities must ensure:
The HIPAA Enforcement Rule sets down the processes for hearings, the penalties that may be imposed on covered entities or business associates that fail to prevent a breach of PHI, and the following investigations.
The HIPAA Privacy & Security Rules place extensive requirements on organizations subject to them. These are covered in extensive detail here & here.
The following checklist can assist your business in ensuring HIPAA compliance.
NIST recommends conducting a regular risk analysis. This includes:
The HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule must all be adhered to by your organization’s policies and practices. Make sure to keep records so you can do yearly reviews. Additionally, develop and implement:
Put data protection measures in place to secure data confidentiality, availability, and integrity. Refer to technical safeguards, physical safeguards, and administrative safeguards mentioned earlier.
All staff should receive proper cybersecurity training, and members should be made aware of the significance of HIPAA compliance. This can be done by:
Ensure all business associates abide by HIPAA rules by reviewing their operations and procedures annually.
Even if there is no PHI breach, failure to comply with HIPAA standards can result in significant fines, while breaches can lead to criminal charges and civil lawsuits.
The Office for Civil Rights (OCR) of the Department of Health and Human Services does not regard ignorance of the HIPAA compliance standards as a valid defense against penalties for HIPAA violations. Whether infractions are due to careless negligence or deliberate error, the OCR will impose fines for non-compliance with HIPAA laws.
The HIPAA Security Rule is part of the HIPAA and outlines specific requirements for safeguarding electronic protected health information (ePHI). It establishes standards for protecting the confidentiality, integrity, and availability of ePHI through administrative, physical, and technical safeguards.
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets privacy and security standards for protecting patient health information. HITECH (Health Information Technology for Economic and Clinical Health Act) is an amendment to HIPAA that focuses on promoting the adoption of electronic health records and strengthens HIPAA's enforcement, imposing stricter penalties for violations.
HIPAA consists of three main rules:
HIPAA doesn't directly regulate social media usage. However, healthcare professionals and organizations must be cautious when using social media to ensure they don't share protected health information without authorization, which could lead to HIPAA violations.
Yes, HIPAA requires covered entities and their business associates to provide regular training to employees who handle protected health information. This training is essential to ensure that employees understand their responsibilities in protecting patient privacy and data security.